#472 first fix and improve RubyBundleAuditAnalyzerTest.java

Test were failing b/c Gemfile.lock and Gemfile were missing. The files were missing b/c parent .gitignore them. Changes: 1. Force added new test files, and updated test with more result validation. 2. Added error logging from bundle-audit. 3. place holder for bundle-audit install directory in test dependencycheck.properties.
2026-01-14 15:53:36 +01:00 · 2016-03-20 15:54:24 -04:00
parent 42f4ae65d1
commit ff7d0fdb9d
5 changed files with 280 additions and 8 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
        final ProcessBuilder builder = new ProcessBuilder(args);
        builder.directory(folder);
        try {
+        	LOGGER.info("Launching: " + args + " from " + folder);
            return builder.start();
        } catch (IOException ioe) {
            throw new AnalysisException("bundle-audit failure", ioe);
@@ -194,6 +195,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
        }
        BufferedReader rdr = null;
        try {
+        	BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+        	while(errReader.ready()) {
+        		String error = errReader.readLine();
+        		LOGGER.warn(error);
+        	}
            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
            processBundlerAuditOutput(dependency, engine, rdr);
        } catch (IOException ioe) {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
@@ -17,24 +17,26 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertThat;
+
+import java.io.File;
+
 import org.junit.After;
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
+import static org.junit.Assert.assertTrue;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

-import java.io.File;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.not;
-import static org.junit.Assert.assertThat;
-
 /**
 * Unit tests for {@link RubyBundleAuditAnalyzer}.
 *
@@ -57,6 +59,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
    @Before
    public void setUp() throws Exception {
        try {
+//            Settings.initialize();
            analyzer = new RubyBundleAuditAnalyzer();
            analyzer.setFilesMatched(true);
            analyzer.initialize();
@@ -101,9 +104,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
    @Test
    public void testAnalysis() throws AnalysisException, DatabaseException {
        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/vulnerable/Gemfile.lock"));
+                "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
        final Engine engine = new Engine();
        analyzer.analyze(result, engine);
-        assertThat(engine.getDependencies().size(), is(not(0)));
+        int size = engine.getDependencies().size();
+        assertTrue(size == 1);
+        
+        Dependency dependency = engine.getDependencies().get(0);
+        assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
+        assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
    }
 }
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -100,3 +100,5 @@ analyzer.nexus.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true

+#Use your own bundle-audit install directory.
+#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit
--- a/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile
+++ b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile
@@ -0,0 +1,102 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# This needs to be with require false as it is
+# loaded after loading the test library to
+# ensure correct loading order
+gem 'mocha', '~> 0.14', require: false
+
+gem 'rack-cache', '~> 1.2'
+gem 'jquery-rails', '~> 3.1.0'
+gem 'turbolinks'
+gem 'coffee-rails', '~> 4.0.0'
+
+gem 'sprockets', '~> 3.0.0.rc.1'
+
+# require: false so bcrypt is loaded only when has_secure_password is used.
+# This is to avoid ActiveModel (and by extension the entire framework)
+# being dependent on a binary library.
+gem 'bcrypt', '~> 3.1.7', require: false
+
+# This needs to be with require false to avoid
+# it being automatically loaded by sprockets
+gem 'uglifier', '>= 1.3.0', require: false
+
+group :doc do
+  gem 'sdoc', '~> 0.4.0'
+  gem 'redcarpet', '~> 2.2.2', platforms: :ruby
+  gem 'w3c_validators'
+  gem 'kindlerb', '0.1.1'
+  gem 'mustache', '~> 0.99.8'
+end
+
+# AS
+gem 'dalli', '>= 2.2.1'
+
+# Add your own local bundler stuff
+local_gemfile = File.dirname(__FILE__) + "/.Gemfile"
+instance_eval File.read local_gemfile if File.exist? local_gemfile
+
+group :test do
+  # FIX: Our test suite isn't ready to run in random order yet
+  gem 'minitest', '< 5.3.4'
+
+  platforms :mri_19 do
+    gem 'ruby-prof', '~> 0.11.2'
+  end
+
+  # platforms :mri_19, :mri_20 do
+  #   gem 'debugger'
+  # end
+
+  platforms :mri do
+    gem 'stackprof'
+  end
+
+  gem 'benchmark-ips'
+end
+
+platforms :ruby do
+  gem 'nokogiri', '>= 1.4.5'
+
+  # Needed for compiling the ActionDispatch::Journey parser
+  gem 'racc', '>=1.4.6', require: false
+
+  # AR
+  gem 'sqlite3', '~> 1.3.6'
+
+  group :db do
+    gem 'pg', '>= 0.11.0'
+    gem 'mysql', '>= 2.9.0'
+    gem 'mysql2', '>= 0.3.13', '< 0.4'
+  end
+end
+
+platforms :jruby do
+  gem 'json'
+  if ENV['AR_JDBC']
+    gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+      gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    end
+  else
+    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0'
+      gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0'
+    end
+  end
+end
+
+# gems that are necessary for ActiveRecord tests with Oracle database
+if ENV['ORACLE_ENHANCED']
+  platforms :ruby do
+    gem 'ruby-oci8', '>= 2.0.4'
+  end
+  gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master'
+end
+
+# A gem necessary for ActiveRecord tests with IBM DB
+gem 'ibm_db' if ENV['IBM_DB']
--- a/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock
+++ b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock
@@ -0,0 +1,154 @@
+PATH
+  remote: .
+  specs:
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
+      arel (~> 5.0.0)
+    activesupport (4.1.15)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.15)
+      sprockets-rails (~> 2.0)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (5.0.1.20140414130214)
+    bcrypt (3.1.10)
+    benchmark-ips (2.3.0)
+    builder (3.2.2)
+    coffee-rails (4.0.1)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.10.0)
+    dalli (2.7.5)
+    erubis (2.7.0)
+    execjs (2.6.0)
+    i18n (0.7.0)
+    jquery-rails (3.1.4)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.3)
+    kindlerb (0.1.1)
+      mustache
+      nokogiri
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.3.3)
+    mocha (0.14.0)
+      metaclass (~> 0.0.1)
+    mustache (0.99.8)
+    mysql (2.9.1)
+    mysql2 (0.3.20)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    pg (0.18.4)
+    racc (1.4.14)
+    rack (1.5.5)
+    rack-cache (1.5.1)
+      rack (>= 0.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
+    redcarpet (2.2.2)
+    ruby-prof (0.11.3)
+    sdoc (0.4.1)
+      json (~> 1.7, >= 1.7.7)
+      rdoc (~> 4.0)
+    sprockets (3.0.3)
+      rack (~> 1.0)
+    sprockets-rails (2.3.3)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.11)
+    stackprof (0.2.8)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.2)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+    w3c_validators (1.2)
+      json
+      nokogiri
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbcmysql-adapter (>= 1.3.0)
+  activerecord-jdbcpostgresql-adapter (>= 1.3.0)
+  activerecord-jdbcsqlite3-adapter (>= 1.3.0)
+  bcrypt (~> 3.1.7)
+  benchmark-ips
+  coffee-rails (~> 4.0.0)
+  dalli (>= 2.2.1)
+  jquery-rails (~> 3.1.0)
+  json
+  kindlerb (= 0.1.1)
+  minitest (< 5.3.4)
+  mocha (~> 0.14)
+  mustache (~> 0.99.8)
+  mysql (>= 2.9.0)
+  mysql2 (>= 0.3.13, < 0.4)
+  nokogiri (>= 1.4.5)
+  pg (>= 0.11.0)
+  racc (>= 1.4.6)
+  rack-cache (~> 1.2)
+  rails!
+  redcarpet (~> 2.2.2)
+  ruby-prof (~> 0.11.2)
+  sdoc (~> 0.4.0)
+  sprockets (~> 3.0.0.rc.1)
+  sqlite3 (~> 1.3.6)
+  stackprof
+  turbolinks
+  uglifier (>= 1.3.0)
+  w3c_validators
+
+BUNDLED WITH
+   1.11.2