From ff7d0fdb9dfe90fb6fb84f22e47d6143550069e1 Mon Sep 17 00:00:00 2001 From: bjiang Date: Sun, 20 Mar 2016 15:54:24 -0400 Subject: [PATCH] #472 first fix and improve RubyBundleAuditAnalyzerTest.java Test were failing b/c Gemfile.lock and Gemfile were missing. The files were missing b/c parent .gitignore them. Changes: 1. Force added new test files, and updated test with more result validation. 2. Added error logging from bundle-audit. 3. place holder for bundle-audit install directory in test dependencycheck.properties. --- .../analyzer/RubyBundleAuditAnalyzer.java | 6 + .../analyzer/RubyBundleAuditAnalyzerTest.java | 24 ++- .../test/resources/dependencycheck.properties | 2 + .../ruby/vulnerable/gems/rails-4.1.15/Gemfile | 102 ++++++++++++ .../vulnerable/gems/rails-4.1.15/Gemfile.lock | 154 ++++++++++++++++++ 5 files changed, 280 insertions(+), 8 deletions(-) create mode 100755 dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile create mode 100755 dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index ced12e7e1..143e5928a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final ProcessBuilder builder = new ProcessBuilder(args); builder.directory(folder); try { + LOGGER.info("Launching: " + args + " from " + folder); return builder.start(); } catch (IOException ioe) { throw new AnalysisException("bundle-audit failure", ioe); @@ -194,6 +195,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } BufferedReader rdr = null; try { + BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); + while(errReader.ready()) { + String error = errReader.readLine(); + LOGGER.warn(error); + } rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8")); processBundlerAuditOutput(dependency, engine, rdr); } catch (IOException ioe) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java index 98227ea94..3fae262ff 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java @@ -17,24 +17,26 @@ */ package org.owasp.dependencycheck.analyzer; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.not; +import static org.junit.Assert.assertThat; + +import java.io.File; + import org.junit.After; import org.junit.Assume; import org.junit.Before; import org.junit.Test; +import static org.junit.Assert.assertTrue; import org.owasp.dependencycheck.BaseTest; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.File; - -import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.CoreMatchers.not; -import static org.junit.Assert.assertThat; - /** * Unit tests for {@link RubyBundleAuditAnalyzer}. * @@ -57,6 +59,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { @Before public void setUp() throws Exception { try { +// Settings.initialize(); analyzer = new RubyBundleAuditAnalyzer(); analyzer.setFilesMatched(true); analyzer.initialize(); @@ -101,9 +104,14 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { @Test public void testAnalysis() throws AnalysisException, DatabaseException { final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, - "ruby/vulnerable/Gemfile.lock")); + "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock")); final Engine engine = new Engine(); analyzer.analyze(result, engine); - assertThat(engine.getDependencies().size(), is(not(0))); + int size = engine.getDependencies().size(); + assertTrue(size == 1); + + Dependency dependency = engine.getDependencies().get(0); + assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet")); + assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2")); } } diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index 83b5430ca..e3862e8e7 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -100,3 +100,5 @@ analyzer.nexus.enabled=false #whether the nexus analyzer uses the proxy analyzer.nexus.proxy=true +#Use your own bundle-audit install directory. +#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit diff --git a/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile new file mode 100755 index 000000000..b9e77dd30 --- /dev/null +++ b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile @@ -0,0 +1,102 @@ +source 'https://rubygems.org' + +gemspec + +# This needs to be with require false as it is +# loaded after loading the test library to +# ensure correct loading order +gem 'mocha', '~> 0.14', require: false + +gem 'rack-cache', '~> 1.2' +gem 'jquery-rails', '~> 3.1.0' +gem 'turbolinks' +gem 'coffee-rails', '~> 4.0.0' + +gem 'sprockets', '~> 3.0.0.rc.1' + +# require: false so bcrypt is loaded only when has_secure_password is used. +# This is to avoid ActiveModel (and by extension the entire framework) +# being dependent on a binary library. +gem 'bcrypt', '~> 3.1.7', require: false + +# This needs to be with require false to avoid +# it being automatically loaded by sprockets +gem 'uglifier', '>= 1.3.0', require: false + +group :doc do + gem 'sdoc', '~> 0.4.0' + gem 'redcarpet', '~> 2.2.2', platforms: :ruby + gem 'w3c_validators' + gem 'kindlerb', '0.1.1' + gem 'mustache', '~> 0.99.8' +end + +# AS +gem 'dalli', '>= 2.2.1' + +# Add your own local bundler stuff +local_gemfile = File.dirname(__FILE__) + "/.Gemfile" +instance_eval File.read local_gemfile if File.exist? local_gemfile + +group :test do + # FIX: Our test suite isn't ready to run in random order yet + gem 'minitest', '< 5.3.4' + + platforms :mri_19 do + gem 'ruby-prof', '~> 0.11.2' + end + + # platforms :mri_19, :mri_20 do + # gem 'debugger' + # end + + platforms :mri do + gem 'stackprof' + end + + gem 'benchmark-ips' +end + +platforms :ruby do + gem 'nokogiri', '>= 1.4.5' + + # Needed for compiling the ActionDispatch::Journey parser + gem 'racc', '>=1.4.6', require: false + + # AR + gem 'sqlite3', '~> 1.3.6' + + group :db do + gem 'pg', '>= 0.11.0' + gem 'mysql', '>= 2.9.0' + gem 'mysql2', '>= 0.3.13', '< 0.4' + end +end + +platforms :jruby do + gem 'json' + if ENV['AR_JDBC'] + gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master' + group :db do + gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master' + gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master' + end + else + gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0' + group :db do + gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0' + gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0' + end + end +end + +# gems that are necessary for ActiveRecord tests with Oracle database +if ENV['ORACLE_ENHANCED'] + platforms :ruby do + gem 'ruby-oci8', '>= 2.0.4' + end + gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master' +end + +# A gem necessary for ActiveRecord tests with IBM DB +gem 'ibm_db' if ENV['IBM_DB'] diff --git a/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock new file mode 100755 index 000000000..a0a1772b3 --- /dev/null +++ b/dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock @@ -0,0 +1,154 @@ +PATH + remote: . + specs: + actionmailer (4.1.15) + actionpack (= 4.1.15) + actionview (= 4.1.15) + mail (~> 2.5, >= 2.5.4) + actionpack (4.1.15) + actionview (= 4.1.15) + activesupport (= 4.1.15) + rack (~> 1.5.2) + rack-test (~> 0.6.2) + actionview (4.1.15) + activesupport (= 4.1.15) + builder (~> 3.1) + erubis (~> 2.7.0) + activemodel (4.1.15) + activesupport (= 4.1.15) + builder (~> 3.1) + activerecord (4.1.15) + activemodel (= 4.1.15) + activesupport (= 4.1.15) + arel (~> 5.0.0) + activesupport (4.1.15) + i18n (~> 0.6, >= 0.6.9) + json (~> 1.7, >= 1.7.7) + minitest (~> 5.1) + thread_safe (~> 0.1) + tzinfo (~> 1.1) + rails (4.1.15) + actionmailer (= 4.1.15) + actionpack (= 4.1.15) + actionview (= 4.1.15) + activemodel (= 4.1.15) + activerecord (= 4.1.15) + activesupport (= 4.1.15) + bundler (>= 1.3.0, < 2.0) + railties (= 4.1.15) + sprockets-rails (~> 2.0) + railties (4.1.15) + actionpack (= 4.1.15) + activesupport (= 4.1.15) + rake (>= 0.8.7) + thor (>= 0.18.1, < 2.0) + +GEM + remote: https://rubygems.org/ + specs: + arel (5.0.1.20140414130214) + bcrypt (3.1.10) + benchmark-ips (2.3.0) + builder (3.2.2) + coffee-rails (4.0.1) + coffee-script (>= 2.2.0) + railties (>= 4.0.0, < 5.0) + coffee-script (2.4.1) + coffee-script-source + execjs + coffee-script-source (1.10.0) + dalli (2.7.5) + erubis (2.7.0) + execjs (2.6.0) + i18n (0.7.0) + jquery-rails (3.1.4) + railties (>= 3.0, < 5.0) + thor (>= 0.14, < 2.0) + json (1.8.3) + kindlerb (0.1.1) + mustache + nokogiri + mail (2.6.3) + mime-types (>= 1.16, < 3) + metaclass (0.0.4) + mime-types (2.99.1) + mini_portile2 (2.0.0) + minitest (5.3.3) + mocha (0.14.0) + metaclass (~> 0.0.1) + mustache (0.99.8) + mysql (2.9.1) + mysql2 (0.3.20) + nokogiri (1.6.7.2) + mini_portile2 (~> 2.0.0.rc2) + pg (0.18.4) + racc (1.4.14) + rack (1.5.5) + rack-cache (1.5.1) + rack (>= 0.4) + rack-test (0.6.3) + rack (>= 1.0) + rake (10.5.0) + rdoc (4.2.1) + redcarpet (2.2.2) + ruby-prof (0.11.3) + sdoc (0.4.1) + json (~> 1.7, >= 1.7.7) + rdoc (~> 4.0) + sprockets (3.0.3) + rack (~> 1.0) + sprockets-rails (2.3.3) + actionpack (>= 3.0) + activesupport (>= 3.0) + sprockets (>= 2.8, < 4.0) + sqlite3 (1.3.11) + stackprof (0.2.8) + thor (0.19.1) + thread_safe (0.3.5) + turbolinks (2.5.3) + coffee-rails + tzinfo (1.2.2) + thread_safe (~> 0.1) + uglifier (2.7.2) + execjs (>= 0.3.0) + json (>= 1.8.0) + w3c_validators (1.2) + json + nokogiri + +PLATFORMS + ruby + +DEPENDENCIES + activerecord-jdbcmysql-adapter (>= 1.3.0) + activerecord-jdbcpostgresql-adapter (>= 1.3.0) + activerecord-jdbcsqlite3-adapter (>= 1.3.0) + bcrypt (~> 3.1.7) + benchmark-ips + coffee-rails (~> 4.0.0) + dalli (>= 2.2.1) + jquery-rails (~> 3.1.0) + json + kindlerb (= 0.1.1) + minitest (< 5.3.4) + mocha (~> 0.14) + mustache (~> 0.99.8) + mysql (>= 2.9.0) + mysql2 (>= 0.3.13, < 0.4) + nokogiri (>= 1.4.5) + pg (>= 0.11.0) + racc (>= 1.4.6) + rack-cache (~> 1.2) + rails! + redcarpet (~> 2.2.2) + ruby-prof (~> 0.11.2) + sdoc (~> 0.4.0) + sprockets (~> 3.0.0.rc.1) + sqlite3 (~> 1.3.6) + stackprof + turbolinks + uglifier (>= 1.3.0) + w3c_validators + +BUNDLED WITH + 1.11.2