github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 08:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v0.3.0.0
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
...
compare: github-mirrors:v0.3.2.0
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

73 Commits
v0.3.0.0 ... v0.3.2.0

Author SHA1 Message Date
Jeremy Long
e488767cea 0.3.2.0 
Former-commit-id: 8431f1312204c78a829f269954161d7187245493
 2013-05-27 22:14:27 -04:00
Jeremy Long
85cacaf91e testing 
Former-commit-id: 7fd42dc4c273eff98a8fbc3e3a14f0ce1fd26abe
 2013-05-27 22:12:25 -04:00
Jeremy Long
a038bef7fe reset username and blank password 
Former-commit-id: 398c0723854c8c43d674d03a6433611c8572cec5
 2013-05-27 21:32:05 -04:00
Jeremy Long
539d3cbaba updated H2 version 
Former-commit-id: b7193bc7c2e256ebdcabc039d573994daab47415
 2013-05-27 20:47:13 -04:00
Jeremy Long
80784a44c5 added compile time support for findbugs suppress warning annotation 
Former-commit-id: 83d178ebafafe8ffc1f10b91d7336490c046990b
 2013-05-27 20:02:54 -04:00
Jeremy Long
b1a55e2df3 updated javadoc 
Former-commit-id: 2818f04997c8fa1c81c8e9bddaea0e9370b76350
 2013-05-27 20:01:47 -04:00
Jeremy Long
870d345de8 updated javadoc 
Former-commit-id: 3e05f7622618e2dc27fe40cfbdb488303d5c0ec9
 2013-05-27 20:01:16 -04:00
Jeremy Long
2b830dccfa added findbugs suppression for a non-issue and made a few checkstyle corrections 
Former-commit-id: a4a3c3503eee772c13d567d473f7ed5126941301
 2013-05-27 20:00:46 -04:00
Jeremy Long
9f08cf553b added findbugs suppress warning for a false positive 
Former-commit-id: c493f8178c129cb73f023b605599dc3dfa558f58
 2013-05-27 19:59:16 -04:00
Jeremy Long
7c14017db3 collapsed nested if statements 
Former-commit-id: e4d466f50e76659bece83b46f8a111a3d8225353
 2013-05-27 19:58:26 -04:00
Jeremy Long
e0e85c468a added supresswarnings for findbugs false positive 
Former-commit-id: 7423c03adb41f92e447aba5e58bc415d27c6c957
 2013-05-27 19:56:19 -04:00
Jeremy Long
6628fc3c33 updated javadoc 
Former-commit-id: 591bec1e2d5a2945a9cca5bf02cd1cea1bd8a38c
 2013-05-27 19:55:13 -04:00
Jeremy Long
61a1531e7b checkstyle fixes 
Former-commit-id: 5281b8ecb5163ce4a0a6464fea4f6d2a4baffafd
 2013-05-27 19:54:41 -04:00
Jeremy Long
933a8f8ec6 reduced size to make tests fasters 
Former-commit-id: d8a3b0c2382ae28a519c2cb44fb93205015e82b0
 2013-05-27 19:53:14 -04:00
Jeremy Long
f660afc6cb updated javadoc and copyright 
Former-commit-id: d48d9e1deed118e9b60d37185cdbfda47898ef6f
 2013-05-27 09:14:56 -04:00
Jeremy Long
a5dc79dffe Merge branch 'master' of https://github.com/jeremylong/DependencyCheck 
Former-commit-id: 9189529fca392ee1ef0b810528288e243dcdb6e4
 2013-05-27 09:07:18 -04:00
Steve Springett
dbc862ad39 Adding more control over data directory path 
Former-commit-id: 263475fc5b3aae04f2530ea78a0456deb18686fe
 2013-05-27 00:10:08 -07:00
Jeremy Long
e6efe6e610 Applied patch from Steve to change the loading of the H2 db 
Former-commit-id: cfce611fadbd2a39880f01d61054dbb8f72f81dc
 2013-05-25 10:56:41 -04:00
Steve Springett
9a7fbe44eb Adding more control over data directory path 
Former-commit-id: 966544bd738646ba57be087f413f686ecdfcee9c
 2013-05-24 23:53:24 -07:00
Steve Springett
adfc913a0e Fixed Velocity logging issues in server environment. 
Former-commit-id: 429105274ee0c2e78c3398e3c019feaaa056866d
 2013-05-24 16:00:10 -07:00
Steve Springett
8813652f0d Forcing the class loading of the H2 JDBC driver. 
Former-commit-id: d6c11d56afc04d115bbf1d0962072c70cb205dd8
 2013-05-22 01:11:02 -07:00
Jeremy Long
250444dd25 made outDir final 
Former-commit-id: 7987673433e91d54efa138bfafd7fbe1a22ee089
 2013-05-20 22:54:35 -04:00
Jeremy Long
a939d0c844 various updates recommended by intelliJ 
Former-commit-id: 2909f6b33224c74a2984f94651f6418bf60d88fc
 2013-05-20 22:50:21 -04:00
Jeremy Long
577b5ad704 various updates recommended by intelliJ 
Former-commit-id: 5ec42c1470384e9acd203819daa7d688ed10e965
 2013-05-20 22:17:19 -04:00
Jeremy Long
7476550356 version 0.3.1.1-snapshot 
Former-commit-id: 172a258ed0804641d1c6f73cb745330213014ceb
 2013-05-20 17:04:03 -04:00
Jeremy Long
c9077a151d version 0.3.1.1 
Former-commit-id: a47cc07a1a23ad75214fbedbe35c5e7cf72196f8
 2013-05-20 17:01:02 -04:00
Jeremy Long
7e650e05b2 fixed typo that prevented some information from being displayed 
Former-commit-id: 4823d74d2bfb31912715a363e9e56e7656f0e4b0
 2013-05-20 17:00:21 -04:00
Jeremy Long
8e6b8a092b corrected file path of related dependencies 
Former-commit-id: 62ffe2147fe1ed2e0126359371580cb0b098f4b1
 2013-05-19 08:29:00 -04:00
Jeremy Long
bd6aa7c61b bug fix, report generation failed if target directory didn't exist 
Former-commit-id: 41dacefc1453b7625ccee3c697e1348f36eebbd1
 2013-05-18 10:23:57 -04:00
Jeremy Long
300a3211ba updated exception logging message 
Former-commit-id: a63f99f7eb5ec2dbb60239d10aefd3f4f0387123
 2013-05-18 09:00:34 -04:00
Jeremy Long
d4084cfe85 PMD fix 
Former-commit-id: 7d7592cedc8d131811cfc33ad9272a360bc7acae
 2013-05-18 08:49:08 -04:00
Jeremy Long
7027109272 checkstyle fix 
Former-commit-id: 841f19eb4b9b210a060a1c200e250ffa9abb17c1
 2013-05-18 08:45:58 -04:00
Jeremy Long
f37f8a7025 updated global Settings and moved connectionTimeout, proxyUrl, and proxyPort from system properties to normal command line properties 
Former-commit-id: 2264d15e1e30034142554f93c92b30bd775083ee
 2013-05-18 08:45:16 -04:00
Jeremy Long
4758bea71b updated autor email address to my owasp address 
Former-commit-id: 4d5b9a406416032e6b53d7c4cdaa20a0c5dc80e4
 2013-05-17 23:57:59 -04:00
Jeremy Long
dcbe626d55 added equals and hashcode methods 
Former-commit-id: cf7b97b47b53fa5ad57cb15747e205d5e616760b
 2013-05-17 22:39:28 -04:00
Jeremy Long
1d8dddbfbf v0.3.1.0-snapshot 
Former-commit-id: 85ae4f6b22174a3226d4bc1b7141960fef06cb67
 2013-05-17 22:26:22 -04:00
Jeremy Long
1eae29e255 v0.3.1.0 
Former-commit-id: af198b8777439f63939bb67849bdd836e3da1a1d
 2013-05-17 22:24:24 -04:00
Jeremy Long
f1d76ecace fixed logging bug 
Former-commit-id: 41a3727c279f804ce4691f5d9ab1ce91310beae8
 2013-05-13 12:11:22 -04:00
Jeremy Long
e295bae27a Checkstyle fix 
Former-commit-id: d66c419a63c01b09e7a72647e7c495158c1f30c3
 2013-05-13 11:54:50 -04:00
Jeremy Long
2330e71b8a Improved logging on failed updates 
Former-commit-id: 76b8b8829276b32926e096b400e32f59dbaca8ea
 2013-05-13 11:54:25 -04:00
Jeremy Long
6a51fe9564 Improved logging on failed updates 
Former-commit-id: 4b08adcdeec38333e07e5ca42a658c98ac9b83a3
 2013-05-13 11:52:54 -04:00
Jeremy Long
c57c4b1184 minor update to prepareLogger 
Former-commit-id: 67135fe039ecfbea508418c844de3b44e0e23634
 2013-05-13 11:41:55 -04:00
Jeremy Long
7de83a77c2 source formating update 
Former-commit-id: da043ebca3e9a6b9b63c7b8c371563cc16121d4e
 2013-05-13 11:09:39 -04:00
Jeremy Long
0b04cc196a updated title 
Former-commit-id: 153aeace4c2709f5222a5b4d84e86f2ff36bf7ef
 2013-05-12 07:00:58 -04:00
Jeremy Long
5c37b6216f file header update 
Former-commit-id: e26b3651f6c4d9ce993da96a990f14a300aef8f9
 2013-05-10 06:34:45 -04:00
Jeremy Long
2cb56cb6fa minor bug fix 
Former-commit-id: 3daff3bc23acfd2e960df85fc8038beb62e0a6d1
 2013-05-10 06:29:08 -04:00
Jeremy Long
912b0ef8da checkstyle fix 
Former-commit-id: 07c248e22163c69f924e02932b94952c8a5ef3a1
 2013-05-10 06:05:59 -04:00
Jeremy Long
1fe56dbff7 updated file header 
Former-commit-id: 091fbe9d35dde27175c5c9e6782d4514f92ca0ca
 2013-05-10 06:04:28 -04:00
Jeremy Long
d7d6dd5a62 checkstyle fixes 
Former-commit-id: 6074262a482d3136e7a2b9e12c2b5448dd4d1426
 2013-05-10 06:03:00 -04:00
Jeremy Long
0c100c1372 updated file header comment 
Former-commit-id: 7398d863e1b4271bd39875644f2de3d3376d7e26
 2013-05-10 05:52:44 -04:00
Jeremy Long
73886ce46e minor correction 
Former-commit-id: a22f05e1f2446fa60d0b27c7019c0977bd9f103f
 2013-05-10 05:33:57 -04:00
Jeremy Long
55e61caf39 Fixed bug when analyzing maven repositories - related JARs would not get bundled 
Former-commit-id: a63d04d7d3674f1df6a98f7741867841f40093f9
 2013-05-09 23:03:03 -04:00
Jeremy Long
2e3331f568 bug fixes 
Former-commit-id: e6e1292842528039ab4498d65239759e6729a70a
 2013-05-09 22:34:47 -04:00
Jeremy Long
a1c7612a85 spelling fixes 
Former-commit-id: 1909bc5b30b2dfd4ece5c880aace9ca4fd830b48
 2013-05-09 19:49:25 -04:00
Jeremy Long
a70cbcc9d3 improved pom analysis 
Former-commit-id: d1f81329c4de99873e83f65a9abc0bef1e3c4552
 2013-05-03 20:23:42 -04:00
Jeremy Long
2a5b8943c3 minor update to references where the actual licenses are for the 3rd party components 
Former-commit-id: bebca29026d1429aaf386352be4e7226d9d4663d
 2013-04-24 20:03:02 -04:00
Jeremy Long
24d5616c45 changed logging level when logging update exceptions 
Former-commit-id: bb69814afc4a335342366fd5eaa4243cf8923f13
 2013-04-23 21:35:23 -04:00
Jeremy Long
43e1ee3e67 checkstyle/pmd/findbugs fixes 
Former-commit-id: b7b60a9649e79b1ea30d0a0601b8212679ad59b7
 2013-04-23 20:22:51 -04:00
Jeremy Long
f40fa460ca added commons-lang dependency 
Former-commit-id: 86d36425ad26dff6af427fcbe91077a53050da43
 2013-04-23 07:10:31 -04:00
Jeremy Long
210d8b9f49 added FileUtilsTest 
Former-commit-id: 0736d9241e72a08821321c226095497809be553c
 2013-04-23 07:09:56 -04:00
Jeremy Long
84f0a7e76a bug fixes 
Former-commit-id: 5800eee292f46fabbf0ca4f59e69d4b450b1cc5f
 2013-04-23 07:09:18 -04:00
Jeremy Long
bd71bb601e added removal off spurious CPE entries 
Former-commit-id: 3117c5a312eb57ec48e5686b5d3d2393364d5788
 2013-04-23 07:08:29 -04:00
Jeremy Long
116fe70061 added pre finding and post finding phases 
Former-commit-id: 7a5794735ad91a44f0c281c551fe7b8a79a9cdff
 2013-04-23 07:07:19 -04:00
Jeremy Long
231eb5067f added tests for DependencyVersionUtil 
Former-commit-id: ef73d9755d63561527d974775b73393cc780fd6e
 2013-04-23 07:06:30 -04:00
Jeremy Long
2562d6ff98 added better version analysis for dependency bundling 
Former-commit-id: c089750bbb5b23c7cca31138590b1dada55f59e5
 2013-04-23 07:05:42 -04:00
Jeremy Long
bb2abf4529 bug fixed regarding whether or not to include packages as evidence 
Former-commit-id: 0a180e491a630d6cbb1fb1083aabad97f44dc1fd
 2013-04-23 07:03:57 -04:00
Jeremy Long
9c0ef770b2 added axis and axis2 for testing 
Former-commit-id: eb21c8df788687269491b05f704a6ffe63d67e44
 2013-04-23 07:02:48 -04:00
Jeremy Long
43f0fa9e10 fixed bug in removing sources and javadoc JARs from analysis 
Former-commit-id: 044cbb59264adbc11f022b0b40e8a781b9c1a046
 2013-04-21 05:18:50 -04:00
Jeremy Long
6925ed78f6 added code to filter out sources.jar and javadoc.jar if no class files are contained 
Former-commit-id: 8c9ff1bdd942e0e1db80181196d8d23e17353b3a
 2013-04-20 15:43:12 -04:00
Jeremy Long
2ebe80b12f started snapshot 
Former-commit-id: 82092ccf6224eb8072476a48b937386cc3984ead
 2013-04-20 15:42:21 -04:00
Jeremy Long
34250f2cfe fixed line break issues 
Former-commit-id: 5f1310fb81d70c68d49e2479186949f1fae74caa
 2013-04-20 15:03:32 -04:00
Jeremy Long
d3153ef0f3 fixed line break issues 
Former-commit-id: 61c3e7e184fbdef8d0ada19d0366cd1b10cc1311
 2013-04-20 15:02:38 -04:00
Jeremy Long
5eaaa254ca fixed line breaks in the usage 
Former-commit-id: 186ade9f6b1c9b3fa1b5eab1cea6a2ce367a8b92
 2013-04-20 15:00:58 -04:00
120 changed files with 5808 additions and 737 deletions
Expand all files Collapse all files

2
NOTICES.txt
View File

@@ -1,6 +1,8 @@
DependencyCheck
Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
This product includes software developed by
The Apache Software Foundation (http://www.apache.org/).

6
README.md
View File

@@ -1,7 +1,7 @@
DependencyCheck
=========
DependencyCheck is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
DependencyCheck is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries..
More information can be found on the [wiki].
@@ -9,8 +9,11 @@ Usage
-
> $ mvn package
> $ cd target
> $ java -jar dependency-check-[version].jar -h
> $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
@@ -19,6 +22,7 @@ Mailing List
-
Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
Post: [dependency-check@googlegroups.com] [post]
Copyright & License

72
pom.xml
View File

@@ -8,7 +8,7 @@ it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
DependencyCheck is distributed in the hope that it will be useful,
Dependency-Check is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
@@ -20,14 +20,14 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.dependency-check</groupId>
<groupId>org.owasp</groupId>
<artifactId>dependency-check</artifactId>
<version>0.3.0.0</version>
<version>0.3.2.0</version>
<packaging>jar</packaging>
<name>DependencyCheck</name>
<url>https://github.com/jeremylong/DependencyCheck.git</url>
<description>Dependency-Check is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
<description>Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
<inceptionYear>2012</inceptionYear>
<organization>
<name>owasp</name>
@@ -36,14 +36,23 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
<developers>
<developer>
<name>Jeremy Long</name>
<email>jeremy.long@gmail.com</email>
<organization>owasp</organization>
<email>jeremy.long@owasp.org</email>
<organization>OWASP</organization>
<organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
<roles>
<role>architect</role>
<role>developer</role>
</roles>
</developer>
<developer>
<name>Steve Springett</name>
<email>Steve.Springett@owasp.org</email>
<organization>OWASP</organization>
<organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
<roles>
<role>contributor</role>
</roles>
</developer>
</developers>
<scm>
<connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
@@ -147,7 +156,6 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
@@ -331,6 +339,25 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -378,13 +405,28 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
<version>2.0.1</version>
<scope>provided</scope><!-- don't include this in the libs-->
</dependency>
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
@@ -395,23 +437,17 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-core</artifactId>
<version>4.0.0</version>
<!--<version>3.5.0</version>-->
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-analyzers-common</artifactId>
<version>4.0.0</version>
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
@@ -465,7 +501,7 @@ along with DependencyCheck. If not, see <http://www.gnu.org/licenses />.
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.3.171</version>
<version>1.3.172</version>
</dependency>
<!-- The following dependencies are only scanned during integration testing -->

10
src/main/config/checkstyle-header.txt
View File

@@ -1,19 +1,19 @@
^/\*\s*$
^ \* This file is part of DependencyCheck\.\s*$
^ \* This file is part of Dependency-Check\.\s*$
^ \*\s*$
^ \* DependencyCheck is free software\: you can redistribute it and/or modify it\s*$
^ \* Dependency-Check is free software\: you can redistribute it and/or modify it\s*$
^ \* under the terms of the GNU General Public License as published by the Free\s*$
^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
^ \* later version\.
^ \*\s*$
^ \* DependencyCheck is distributed in the hope that it will be useful, but\s*$
^ \* Dependency-Check is distributed in the hope that it will be useful, but\s*$
^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
^ \* details\.\s*$
^ \*\s*$
^ \* You should have received a copy of the GNU General Public License along with\s*$
^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$
^ \* Dependency-Check\. If not, see http://www.gnu.org/licenses/\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$
^ \* Copyright \(c\) 201[23] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

62
src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -51,7 +51,7 @@ import org.owasp.dependencycheck.utils.Settings;
/**
* The command line interface for the DependencyCheck application.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class App {
@@ -75,17 +75,9 @@ public class App {
* Configures the logger for use by the application.
*/
private static void prepareLogger() {
//while java doc for JUL says to use preferences api - it throws an exception...
//Preferences.systemRoot().put("java.util.logging.config.file", "log.properties");
//System.getProperties().put("java.util.logging.config.file", "configuration/log.properties");
//removed the file handler. since this is a console app - just write to console.
// File dir = new File("logs");
// if (!dir.exists()) {
// dir.mkdir();
// }
InputStream in = null;
try {
final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
LogManager.getLogManager().reset();
LogManager.getLogManager().readConfiguration(in);
} catch (IOException ex) {
@@ -93,6 +85,13 @@ public class App {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
} catch (SecurityException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {
in.close();
} catch (Exception ex) {
//ignore
in = null;
}
}
}
@@ -121,8 +120,8 @@ public class App {
if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
updateSettings(cli.isAutoUpdate(), cli.isDeepScan(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort());
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
}
@@ -137,12 +136,9 @@ public class App {
* @param outputFormat the output format of the report
* @param applicationName the application name for the report
* @param files the files/directories to scan
* @param autoUpdate whether to auto-update the cached data from the Internet
* @param deepScan whether to perform a deep scan of the evidence in the project dependencies
*/
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) {
final Engine scanner = new Engine(autoUpdate);
Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
final Engine scanner = new Engine();
for (String file : files) {
scanner.scan(file);
@@ -160,4 +156,26 @@ public class App {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
}
}
/**
* Updates the global Settings.
* @param autoUpdate whether or not to update cached web data sources
* @param deepScan whether or not to perform a deep scan (increases false positives, but may reduce false negatives)
* @param connectionTimeout the timeout to use when downloading resources (null or blank will use default)
* @param proxyUrl the proxy url (null or blank means no proxy will be used)
* @param proxyPort the proxy port (null or blank means no port will be used)
*/
private void updateSettings(boolean autoUpdate, boolean deepScan, String connectionTimeout, String proxyUrl, String proxyPort) {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
}
if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
}
}
}

56
src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -36,6 +36,8 @@ import org.owasp.dependencycheck.data.UpdateException;
import org.owasp.dependencycheck.data.UpdateService;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -43,29 +45,37 @@ import org.owasp.dependencycheck.utils.FileUtils;
* Analyzer is associated with the file type then the file is turned into a
* dependency.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Engine {
/**
* The list of dependencies.
*/
private List<Dependency> dependencies = new ArrayList<Dependency>();
private final List<Dependency> dependencies = new ArrayList<Dependency>();
/**
* A Map of analyzers grouped by Analysis phase.
*/
private EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
/**
* A set of extensions supported by the analyzers.
*/
private Set<String> extensions = new HashSet<String>();
private final Set<String> extensions = new HashSet<String>();
/**
* Creates a new Engine.
*/
public Engine() {
doUpdates();
boolean autoUpdate = true;
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, "Invalid setting for auto-update.");
}
if (autoUpdate) {
doUpdates();
}
loadAnalyzers();
}
@@ -74,7 +84,10 @@ public class Engine {
*
* @param autoUpdate indicates whether or not data should be updated from
* the Internet.
* @deprecated this function should no longer be used; the autoupdate flag should be set using
* <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
*/
@Deprecated
public Engine(boolean autoUpdate) {
if (autoUpdate) {
doUpdates();
@@ -148,11 +161,13 @@ public class Engine {
*/
protected void scanDirectory(File dir) {
final File[] files = dir.listFiles();
for (File f : files) {
if (f.isDirectory()) {
scanDirectory(f);
} else {
scanFile(f);
if (files != null) {
for (File f : files) {
if (f.isDirectory()) {
scanDirectory(f);
} else {
scanFile(f);
}
}
}
}
@@ -217,7 +232,7 @@ public class Engine {
if (a.supportsExtension(d.getFileExtension())) {
try {
a.analyze(d, this);
} catch (AnalysisException ex) {
} catch (AnalysisException ex) {
d.addAnalysisException(ex);
}
}
@@ -232,14 +247,14 @@ public class Engine {
try {
a.close();
} catch (Exception ex) {
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, null, ex);
}
}
}
}
/**
*
* Cycles through the cached web data sources and calls update on all of them.
*/
private void doUpdates() {
final UpdateService service = UpdateService.getInstance();
@@ -249,8 +264,11 @@ public class Engine {
try {
source.update();
} catch (UpdateException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
"Unable to update " + source.getClass().getName(), ex);
Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
"Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
Logger.getLogger(Engine.class.getName()).log(Level.INFO,
String.format("Unable to update details for %s",
source.getClass().getName()), ex);
}
}
}

10
src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -24,7 +24,7 @@ import java.util.Set;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public abstract class AbstractAnalyzer implements Analyzer {

10
src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.analyzer;
/**
* An exception thrown when the analysis of a dependency fails.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class AnalysisException extends Exception {

32
src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,36 +21,44 @@ package org.owasp.dependencycheck.analyzer;
/**
* An enumeration defining the phases of analysis.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public enum AnalysisPhase {
/**
* The first phase of analysis.
* Initialization phase.
*/
INITIAL,
/**
* The second phase of analysis.
* Information collection phase.
*/
INFORMATION_COLLECTION,
/**
* The third phase of analysis.
* Pre identifier analysis phase.
*/
PRE_IDENTIFIER_ANALYSIS,
/**
* The fourth phase of analysis.
* Identifier analysis phase.
*/
IDENTIFIER_ANALYSIS,
/**
* The fifth phase of analysis.
* Post identifier analysis phase.
*/
POST_IDENTIFIER_ANALYSIS,
/**
* The sixth phase of analysis.
* Pre finding analysis phase.
*/
PRE_FINDING_ANALYSIS,
/**
* Finding analysis phase.
*/
FINDING_ANALYSIS,
/**
* The seventh and final phase of analysis.
* Post analysis phase.
*/
POST_FINDING_ANALYSIS,
/**
* The final analysis phase.
*/
FINAL
}

10
src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
* An analyzer will collect information about the dependency in the form of
* Evidence.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public interface Analyzer {

10
src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class AnalyzerService {

51
src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
* <p>Note, this grouping only works on dependencies with identified CVE
* entries</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
@@ -50,7 +50,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
@@ -153,6 +153,32 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
}
/**
* Attempts to trim a maven repo to a common base path. This is typically
* [drive]\[repo_location]\repository\[path1]\[path2].
*
* @param path the path to trim
* @return a string representing the base path.
*/
private String getBaseRepoPath(final String path) {
int pos = path.indexOf("repository" + File.separator) + 11;
if (pos < 0) {
return path;
}
int tmp = path.indexOf(File.separator, pos);
if (tmp <= 0) {
return path;
}
if (tmp > 0) {
pos = tmp + 1;
}
tmp = path.indexOf(File.separator, pos);
if (tmp > 0) {
pos = tmp + 1;
}
return path.substring(0, pos);
}
/**
* Returns true if the identifiers in the two supplied dependencies are equal.
* @param dependency1 a dependency2 to compare
@@ -179,15 +205,22 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
return false;
}
final File lFile = new File(dependency1.getFilePath());
final String left = lFile.getParent();
String left = lFile.getParent();
final File rFile = new File(dependency2.getFilePath());
final String right = rFile.getParent();
String right = rFile.getParent();
if (left == null) {
if (right == null) {
return true;
}
return false;
}
if (left.equalsIgnoreCase(right)) {
return true;
}
if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
left = getBaseRepoPath(left);
right = getBaseRepoPath(right);
}
return left.equalsIgnoreCase(right);
}
@@ -195,7 +228,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
* This is likely a very broken attempt at determining if the 'left'
* dependency is the 'core' library in comparison to the 'right' library.
*
* TODO - consider spliting on /\._-\s/ and checking if all of one side is fully contained in the other
* TODO - consider splitting on /\._-\s/ and checking if all of one side is fully contained in the other
* With the exception of the word "core". This might work even on groups when we don't have a CVE.
*
* @param left the dependency to test

113
src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -1,35 +1,43 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.Entry;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* This analyzer attempts to remove some well known false positives -
* specifically regarding the java runtime.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
@@ -94,7 +102,15 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
removeJreEntries(dependency);
removeVersions(dependency);
boolean deepScan = false;
try {
deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
} catch (InvalidSettingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
}
if (!deepScan) {
removeSpuriousCPE(dependency);
}
}
/**
@@ -102,18 +118,57 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*
* @param dependency the dependency being analyzed
*/
private void removeVersions(Dependency dependency) {
//todo implement this so that the following is corrected?
//cpe: cpe:/a:apache:axis2:1.4
//cpe: cpe:/a:apache:axis:1.4
/* the above was identified from the evidence below:
Source Name Value
Manifest Bundle-Vendor Apache Software Foundation
Manifest Bundle-Version 1.4
file name axis2-kernel-1.4.1
pom artifactid axis2-kernel
pom name Apache Axis2 - Kernel
*/
private void removeSpuriousCPE(Dependency dependency) {
final List<Identifier> ids = new ArrayList<Identifier>();
ids.addAll(dependency.getIdentifiers());
final ListIterator<Identifier> mainItr = ids.listIterator();
while (mainItr.hasNext()) {
final Identifier currentId = mainItr.next();
final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
if (currentCpe == null) {
continue;
}
final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
while (subItr.hasNext()) {
final Identifier nextId = subItr.next();
final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
if (nextCpe == null) {
continue;
}
if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
// see if one is contained in the other.. remove the contained one from dependency.getIdentifier
final String mainVersion = currentCpe.getVersion();
final String nextVersion = nextCpe.getVersion();
if (mainVersion.length() < nextVersion.length()) {
if (nextVersion.startsWith(mainVersion)) {
//remove mainVersion
dependency.getIdentifiers().remove(currentId);
}
} else {
if (mainVersion.startsWith(nextVersion)) {
//remove nextVersion
dependency.getIdentifiers().remove(nextId);
}
}
} else {
if (currentCpe.getVersion().equals(nextCpe.getVersion())) {
//same vendor and version - but different products
// are we dealing with something like Axis & Axis2
final String currentProd = currentCpe.getProduct();
final String nextProd = nextCpe.getProduct();
if (currentProd.startsWith(nextProd)) {
dependency.getIdentifiers().remove(nextId);
}
if (nextProd.startsWith(currentProd)) {
dependency.getIdentifiers().remove(currentId);
}
}
}
}
}
}
}
/**
@@ -123,7 +178,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* @param dependency the dependency to remove JRE CPEs from
*/
private void removeJreEntries(Dependency dependency) {
final List<Identifier> identifiers = dependency.getIdentifiers();
final Set<Identifier> identifiers = dependency.getIdentifiers();
final Iterator<Identifier> itr = identifiers.iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
@@ -135,4 +190,24 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
}
/**
* Parses a CPE string into an Entry.
* @param type the type of identifier
* @param value the cpe identifier to parse
* @return an Entry constructed from the identifier
*/
private Entry parseCpe(String type, String value) {
if (!"cpe".equals(type)) {
return null;
}
final Entry cpe = new Entry();
try {
cpe.parseName(value);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
return null;
}
return cpe;
}
}

10
src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.Engine;
*
* Takes a dependency and analyzes the filename and determines the hashes.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {

24
src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -25,7 +25,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
@@ -98,12 +98,24 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
"org.springframework.core",
Evidence.Confidence.HIGH);
final Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
final Evidence springTest3 = new Evidence("Manifest",
"Bundle-Vendor",
"SpringSource",
Evidence.Confidence.HIGH);
Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
}
evidence = dependency.getVendorEvidence().getEvidence();
if (evidence.contains(springTest3)) {
dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
}
}
}

174
src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileInputStream;
import java.util.Enumeration;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.bind.JAXBException;
@@ -57,7 +58,7 @@ import org.owasp.dependencycheck.utils.Settings;
* Used to load a JAR file and collect information that can be used to determine
* the associated CPE.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
@@ -185,11 +186,23 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
*/
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
boolean addPackagesAsEvidence = false;
//todo - catch should be more granular here, one for each call likely
//todo - think about sources/javadoc jars, should we remove or move to related dependency?
try {
addPackagesAsEvidence ^= parseManifest(dependency);
addPackagesAsEvidence ^= analyzePOM(dependency);
addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
analyzePackageNames(dependency, addPackagesAsEvidence);
final boolean hasManifest = parseManifest(dependency);
final boolean hasPOM = analyzePOM(dependency);
final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
if ((!hasManifest && !hasPOM) || deepScan) {
addPackagesAsEvidence = true;
}
final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
if (!hasClasses
&& (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
|| dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
|| dependency.getFileName().toLowerCase().endsWith("-src.jar")
|| dependency.getFileName().toLowerCase().endsWith("-doc.jar"))) {
engine.getDependencies().remove(dependency);
}
} catch (IOException ex) {
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
}
@@ -206,6 +219,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* pom.
* @return whether or not evidence was added to the dependency
*/
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
value = "OS_OPEN_STREAM",
justification = "The reader on line 259 is closed by closing the zipEntry")
protected boolean analyzePOM(Dependency dependency) throws IOException, AnalysisException {
boolean foundSomething = false;
Properties pomProperties = null;
@@ -282,6 +298,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (artifactid != null) {
foundSomething = true;
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.LOW);
}
//version
final String version = interpolateString(pom.getVersion(), pomProperties);
@@ -301,6 +318,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
if (pomName != null) {
foundSomething = true;
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
}
//Description
@@ -343,6 +361,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
}
return foundSomething;
}
/**
* Tracks whether the jar being analyzed contains classes.
*/
private boolean hasClasses = false;
/**
* Analyzes the path information of the classes contained within the
@@ -353,76 +375,27 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
* @param dependency A reference to the dependency.
* @param addPackagesAsEvidence a flag indicating whether or not package
* names should be added as evidence.
* @return returns true or false depending on whether classes were identified in the JAR
* @throws IOException is thrown if there is an error reading the JAR file.
*/
protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
protected boolean analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
throws IOException {
hasClasses = false;
JarFile jar = null;
try {
jar = new JarFile(dependency.getActualFilePath());
final java.util.Enumeration en = jar.entries();
final Enumeration en = jar.entries();
final HashMap<String, Integer> level0 = new HashMap<String, Integer>();
final HashMap<String, Integer> level1 = new HashMap<String, Integer>();
final HashMap<String, Integer> level2 = new HashMap<String, Integer>();
final HashMap<String, Integer> level3 = new HashMap<String, Integer>();
int count = 0;
while (en.hasMoreElements()) {
final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
if (entry.getName().endsWith(".class") && entry.getName().contains("/")) {
final String[] path = entry.getName().toLowerCase().split("/");
if ("java".equals(path[0])
|| "javax".equals(path[0])
|| ("com".equals(path[0]) && "sun".equals(path[0]))) {
continue;
}
count += 1;
String temp = path[0];
if (level0.containsKey(temp)) {
level0.put(temp, level0.get(temp) + 1);
} else {
level0.put(temp, 1);
}
if (path.length > 2) {
temp += "/" + path[1];
if (level1.containsKey(temp)) {
level1.put(temp, level1.get(temp) + 1);
} else {
level1.put(temp, 1);
}
}
if (path.length > 3) {
temp += "/" + path[2];
if (level2.containsKey(temp)) {
level2.put(temp, level2.get(temp) + 1);
} else {
level2.put(temp, 1);
}
}
if (path.length > 4) {
temp += "/" + path[3];
if (level3.containsKey(temp)) {
level3.put(temp, level3.get(temp) + 1);
} else {
level3.put(temp, 1);
}
}
}
}
final int count = collectPackageNameInformation(en, level0, level1, level2, level3);
if (count == 0) {
return;
return hasClasses;
}
final EvidenceCollection vendor = dependency.getVendorEvidence();
final EvidenceCollection product = dependency.getProductEvidence();
for (String s : level0.keySet()) {
if (!"org".equals(s) && !"com".equals(s)) {
vendor.addWeighting(s);
@@ -518,6 +491,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
jar.close();
}
}
return hasClasses;
}
/**
@@ -541,8 +515,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
final Manifest manifest = jar.getManifest();
if (manifest == null) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
"Jar file '{0}' does not contain a manifest.",
dependency.getFileName());
String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()));
return false;
}
final Attributes atts = manifest.getMainAttributes();
@@ -726,4 +700,72 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
}
return false;
}
/**
* Cycles through an enumeration of JarEntries and collects level 0-3 directory
* structure names. This is helpful when analyzing vendor/product as many times
* this is included in the package name. This does not analyze core Java package
* names.
*
* @param en an Enumeration of JarEntries
* @param level0 HashMap of level 0 package names (e.g. org)
* @param level1 HashMap of level 1 package names (e.g. owasp)
* @param level2 HashMap of level 2 package names (e.g. dependencycheck)
* @param level3 HashMap of level 3 package names (e.g. analyzer)
* @return the number of entries processed that were included in the above HashMaps
*/
private int collectPackageNameInformation(Enumeration en, HashMap<String, Integer> level0,
HashMap<String, Integer> level1, HashMap<String, Integer> level2, HashMap<String, Integer> level3) {
int count = 0;
while (en.hasMoreElements()) {
final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
if (entry.getName().endsWith(".class")) {
hasClasses = true;
String[] path;
if (entry.getName().contains("/")) {
path = entry.getName().toLowerCase().split("/");
if ("java".equals(path[0])
|| "javax".equals(path[0])
|| ("com".equals(path[0]) && "sun".equals(path[0]))) {
continue;
}
} else {
path = new String[1];
path[0] = entry.getName();
}
count += 1;
String temp = path[0];
if (level0.containsKey(temp)) {
level0.put(temp, level0.get(temp) + 1);
} else {
level0.put(temp, 1);
}
if (path.length > 2) {
temp += "/" + path[1];
if (level1.containsKey(temp)) {
level1.put(temp, level1.get(temp) + 1);
} else {
level1.put(temp, 1);
}
}
if (path.length > 3) {
temp += "/" + path[2];
if (level2.containsKey(temp)) {
level2.put(temp, level2.get(temp) + 1);
} else {
level2.put(temp, 1);
}
}
if (path.length > 4) {
temp += "/" + path[3];
if (level3.containsKey(temp)) {
level3.put(temp, level3.get(temp) + 1);
} else {
level3.put(temp, 1);
}
}
}
}
return count;
}
}

10
src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import java.util.regex.Pattern;
* Used to load a JAR file and collect information that can be used to determine
* the associated CPE.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {

12
src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,8 +31,10 @@ import org.owasp.dependencycheck.dependency.Identifier;
* spring-core is in the scanned dependencies then only the spring-core will have a reference
* to the CPE values (if there are any for the version of spring being used).
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
* @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer
*/
@Deprecated
public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
/**

10
src/main/java/org/owasp/dependencycheck/data/CachedWebDataSource.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data;
* Defines an Index who's data is retrieved from the Internet. This data can be
* downloaded and the index updated.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public interface CachedWebDataSource {

10
src/main/java/org/owasp/dependencycheck/data/UpdateException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.io.IOException;
/**
* An exception used when an error occurs reading a setting.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class UpdateException extends IOException {

10
src/main/java/org/owasp/dependencycheck/data/UpdateService.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class UpdateService {

10
src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -43,7 +43,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
* to discern if there is an associated CPE. It uses the evidence contained
* within the dependency to search the Lucene index.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CPEAnalyzer implements Analyzer {

15
src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import org.apache.lucene.document.Document;
/**
* A CPE entry containing the name, vendor, product, and version.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Entry implements Serializable {
@@ -228,10 +228,7 @@ public class Entry implements Serializable {
return false;
}
final Entry other = (Entry) obj;
if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
return false;
}
return true;
return !((this.name == null) ? (other.name != null) : !this.name.equals(other.name));
}
@Override

10
src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
* Fields is a collection of field names used within the Lucene index for CPE
* entries.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public abstract class Fields {

45
src/main/java/org/owasp/dependencycheck/data/cpe/Index.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.data.cpe;
import java.io.File;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Map;
import org.apache.lucene.analysis.Analyzer;
@@ -37,6 +36,7 @@ import org.apache.lucene.store.Directory;
import org.apache.lucene.store.FSDirectory;
import org.apache.lucene.util.Version;
import org.owasp.dependencycheck.data.lucene.AbstractIndex;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.data.lucene.VersionAnalyzer;
/**
* The Index class is used to utilize and maintain the CPE Index.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Index extends AbstractIndex {
@@ -58,8 +58,7 @@ public class Index extends AbstractIndex {
*/
public Directory getDirectory() throws IOException {
final File path = getDataDirectory();
final Directory dir = FSDirectory.open(path);
return dir;
return FSDirectory.open(path);
}
/**
@@ -71,20 +70,9 @@ public class Index extends AbstractIndex {
*/
public File getDataDirectory() throws IOException {
final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
if (!path.exists()) {
if (!path.mkdirs()) {
throw new IOException("Unable to create CPE Data directory");
}
final File path = FileUtils.getDataDirectory(fileName, Index.class);
if (!path.exists() && !path.mkdirs()) {
throw new IOException("Unable to create CPE Data directory");
}
return path;
}
@@ -102,10 +90,7 @@ public class Index extends AbstractIndex {
fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
}
/**
* The search field analyzer for the product field.
@@ -133,10 +118,7 @@ public class Index extends AbstractIndex {
fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
return wrapper;
return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
}
/**
@@ -169,7 +151,6 @@ public class Index extends AbstractIndex {
*/
public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
final Document doc = convertEntryToDoc(entry);
//Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
final Term term = new Term(Fields.NAME, entry.getName());
getIndexWriter().updateDocument(term, doc);
}
@@ -196,7 +177,7 @@ public class Index extends AbstractIndex {
//TODO revision should likely be its own field
if (entry.getVersion() != null) {
Field version = null;
Field version;
if (entry.getRevision() != null) {
version = new TextField(Fields.VERSION, entry.getVersion() + " "
+ entry.getRevision(), Field.Store.NO);

20
src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import java.util.logging.Logger;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class CweDB {
@@ -38,14 +38,14 @@ public final class CweDB {
//empty
}
/**
* A hashmap of the CWE data.
* A HashMap of the CWE data.
*/
private static final HashMap<String, String> CWE = loadData();
/**
* Loads a hashmap containing the CWE data from a resource found in the jar.
* Loads a HashMap containing the CWE data from a resource found in the jar.
*
* @return a hashmap of CWE data
* @return a HashMap of CWE data
*/
private static HashMap<String, String> loadData() {
ObjectInputStream oin = null;
@@ -53,9 +53,7 @@ public final class CweDB {
final String filePath = "data/cwe.hashmap.serialized";
final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
oin = new ObjectInputStream(input);
@SuppressWarnings("unchecked")
final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
return data;
return (HashMap<String, String>) oin.readObject();
} catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
} catch (IOException ex) {

14
src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -26,14 +26,14 @@ import org.xml.sax.helpers.DefaultHandler;
/**
* A SAX Handler that will parse the CWE XML.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CweHandler extends DefaultHandler {
/**
* a hashmap containing the CWE data.
* a HashMap containing the CWE data.
*/
private HashMap<String, String> cwe = new HashMap<String, String>();
private final HashMap<String, String> cwe = new HashMap<String, String>();
/**
* Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).

15
src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -41,7 +41,7 @@ import org.apache.lucene.util.Version;
* The base Index for other index objects. Implements the open and close
* methods.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public abstract class AbstractIndex {
@@ -250,14 +250,11 @@ public abstract class AbstractIndex {
* @throws IOException is thrown if there is an issue with the underlying Index
*/
public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
final QueryParser parser = getQueryParser();
final Query query = parser.parse(searchString);
resetSearchingAnalyzer();
final IndexSearcher is = getIndexSearcher();
final TopDocs docs = is.search(query, maxQueryResults);
return docs;
return is.search(query, maxQueryResults);
}
/**

10
src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DependencySimilarity extends DefaultSimilarity {

12
src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,14 +34,14 @@ import org.apache.lucene.util.Version;
* LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is
* to index the CPE fields vendor and product.</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FieldAnalyzer extends Analyzer {
/**
* The Lucene Version used.
*/
private Version version;
private final Version version;
/**
* Creates a new FieldAnalyzer.

13
src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.lucene;
* <p>Lucene utils is a set of utilize written to make constructing Lucene
* queries simpler.</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class LuceneUtils {
@@ -40,6 +40,9 @@ public final class LuceneUtils {
* @param text the data to be escaped
*/
@SuppressWarnings("fallthrough")
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
value = "SF_SWITCH_NO_DEFAULT",
justification = "The switch below does have a default.")
public static void appendEscapedLuceneQuery(StringBuilder buf,
final CharSequence text) {

12
src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -32,14 +32,14 @@ import org.apache.lucene.util.Version;
/**
* A Lucene field analyzer used to analyzer queries against the CPE data.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class SearchFieldAnalyzer extends Analyzer {
/**
* The Lucene Version used.
*/
private Version version;
private final Version version;
/**
* A local reference to the TokenPairConcatenatingFilter so that we
* can clear any left over state if this analyzer is re-used.

12
src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
/**
* SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class SearchVersionAnalyzer extends Analyzer {
//TODO consider implementing payloads/custom attributes...
@@ -42,7 +42,7 @@ public class SearchVersionAnalyzer extends Analyzer {
/**
* The Lucene Version used.
*/
private Version version;
private final Version version;
/**
* Creates a new SearchVersionAnalyzer.

12
src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,7 +31,7 @@ import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
* <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
* Framework FrameworkCore Core".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class TokenPairConcatenatingFilter extends TokenFilter {
@@ -50,7 +50,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
/**
* A list of words parsed.
*/
private LinkedList<String> words;
private final LinkedList<String> words;
/**
* Constructs a new TokenPairConcatenatingFilter.

12
src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
/**
* VersionAnalyzer is a Lucene Analyzer used to analyze version information.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class VersionAnalyzer extends Analyzer {
//TODO consider implementing payloads/custom attributes...
@@ -42,7 +42,7 @@ public class VersionAnalyzer extends Analyzer {
/**
* The Lucene Version used.
*/
private Version version;
private final Version version;
/**
* Creates a new VersionAnalyzer.

12
src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -30,7 +30,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
* <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
* 3.0.0.RELEASE".</p>
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class VersionTokenizingFilter extends TokenFilter {
@@ -41,7 +41,7 @@ public final class VersionTokenizingFilter extends TokenFilter {
/**
* A collection of tokens to add to the stream.
*/
private LinkedList<String> tokens;
private final LinkedList<String> tokens;
/**
* Constructs a new VersionTokenizingFilter.

10
src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve;
* An exception used to indicate the db4o database is corrupt.
* This could be due to invalid data or a complete failure of the db.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
class CorruptDatabaseException extends DatabaseException {

38
src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,7 +21,6 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.sql.CallableStatement;
import java.sql.Connection;
import java.sql.DriverManager;
@@ -37,12 +36,13 @@ import org.owasp.dependencycheck.data.cwe.CweDB;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
/**
* The database holding information about the NVD CVE data.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CveDB {
@@ -181,14 +181,19 @@ public class CveDB {
* @throws IOException thrown if there is an IO Exception
* @throws SQLException thrown if there is a SQL Exception
* @throws DatabaseException thrown if there is an error initializing a new database
* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
*/
public void open() throws IOException, SQLException, DatabaseException {
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
value = "DMI_EMPTY_DB_PASSWORD",
justification = "Yes, I know... Blank password.")
public void open() throws IOException, SQLException, DatabaseException, ClassNotFoundException {
final String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ File.separator
+ "cve";
final File f = new File(fileName);
final boolean createTables = !f.exists();
final String connStr = "jdbc:h2:file:" + fileName;
Class.forName("org.h2.Driver");
conn = DriverManager.getConnection(connStr, "sa", "");
if (createTables) {
createTables();
@@ -305,11 +310,11 @@ public class CveDB {
rsS = selectSoftware.executeQuery();
while (rsS.next()) {
final String cpe = rsS.getString(1);
final String prevVers = rsS.getString(2);
if (prevVers == null) {
final String prevVersion = rsS.getString(2);
if (prevVersion == null) {
vuln.addVulnerableSoftware(cpe);
} else {
vuln.addVulnerableSoftware(cpe, prevVers);
vuln.addVulnerableSoftware(cpe, prevVersion);
}
}
}
@@ -407,18 +412,7 @@ public class CveDB {
*/
public static File getDataDirectory() throws IOException {
final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
final File path = FileUtils.getDataDirectory(fileName, CveDB.class);
if (!path.exists()) {
if (!path.mkdirs()) {
throw new IOException("Unable to create NVD CVE Data directory");

10
src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.data.nvdcve;
/**
* An exception thrown if an operation against the database fails.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DatabaseException extends Exception {
/**

13
src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
* attempts to discern if there is an associated CVEs. It uses the the
* identifiers found by other analyzers to lookup the CVE data.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCveAnalyzer implements Analyzer {
@@ -53,8 +53,9 @@ public class NvdCveAnalyzer implements Analyzer {
* @throws SQLException thrown when there is a SQL Exception
* @throws IOException thrown when there is an IO Exception
* @throws DatabaseException thrown when there is a database exceptions
* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
*/
public void open() throws SQLException, IOException, DatabaseException {
public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
cveDB = new CveDB();
cveDB.open();
}

44
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -54,7 +54,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DatabaseUpdater implements CachedWebDataSource {
@@ -137,6 +137,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
throw new UpdateException(ex);
} catch (DatabaseException ex) {
throw new UpdateException(ex);
} catch (ClassNotFoundException ex) {
throw new UpdateException(ex);
} finally {
try {
if (outputPath != null && outputPath.exists()) {
@@ -147,6 +149,15 @@ public class DatabaseUpdater implements CachedWebDataSource {
outputPath.deleteOnExit();
}
}
try {
if (outputPath12 != null && outputPath12.exists()) {
outputPath12.delete();
}
} finally {
if (outputPath12 != null && outputPath12.exists()) {
outputPath12.deleteOnExit();
}
}
}
}
}
@@ -165,15 +176,15 @@ public class DatabaseUpdater implements CachedWebDataSource {
*
* @param file the file containing the NVD CVE XML
* @param oldVersion contains the file containing the NVD CVE XML 1.2
* @throws ParserConfigurationException is thrown if there is a
* parserconfigurationexception
* @throws SAXException is thrown if there is a saxexception
* @throws ParserConfigurationException is thrown if there is a parser configuration exception
* @throws SAXException is thrown if there is a SAXException
* @throws IOException is thrown if there is a ioexception
* @throws SQLException is thrown if there is a sql exception
* @throws DatabaseException is thrown if there is a database exception
* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
*/
private void importXML(File file, File oldVersion)
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
CveDB cveDB = null;
Index cpeIndex = null;
@@ -256,7 +267,14 @@ public class DatabaseUpdater implements CachedWebDataSource {
try {
out.close();
} catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
}
}
if (os != null) {
try {
os.close();
} catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
}
}
}
@@ -312,7 +330,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
prop.load(is);
boolean deleteAndRecreate = false;
float version = 0;
float version;
if (prop.getProperty("version") == null) {
deleteAndRecreate = true;
@@ -334,8 +352,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
FileUtils.delete(f);
//this importer also updates the CPE index and it is also using an old version
final Index cpeid = new Index();
final File cpeDir = cpeid.getDataDirectory();
final Index cpeId = new Index();
final File cpeDir = cpeId.getDataDirectory();
FileUtils.delete(cpeDir);
return currentlyPublished;
}

10
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
* An InvalidDataDataException is a generic exception used when trying to load
* the nvd cve meta data.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class InvalidDataException extends Exception {
/**

12
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler;
* specified. The previous version information is not in the 2.0 version of the
* schema and is useful to ensure accurate identification (or at least complete).
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve12Handler extends DefaultHandler {
@@ -69,7 +69,7 @@ public class NvdCve12Handler extends DefaultHandler {
/**
* The current element.
*/
private Element current = new Element();
private final Element current = new Element();
/**
* a map of vulnerabilities.
*/

12
src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -38,7 +38,7 @@ import org.xml.sax.helpers.DefaultHandler;
/**
* A SAX Handler that will parse the NVD CVE XML (schema version 2.0).
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve20Handler extends DefaultHandler {
@@ -49,7 +49,7 @@ public class NvdCve20Handler extends DefaultHandler {
/**
* the current element.
*/
private Element current = new Element();
private final Element current = new Element();
/**
* the text of the node.
*/

120
src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.FileUtils;
* the form of evidence. The Evidence is then used to determine if there are any
* known, published, vulnerabilities associated with the program dependency.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Dependency implements Comparable<Dependency> {
@@ -68,19 +68,19 @@ public class Dependency implements Comparable<Dependency> {
/**
* A list of Identifiers.
*/
private List<Identifier> identifiers;
private Set<Identifier> identifiers;
/**
* A collection of vendor evidence.
*/
private EvidenceCollection vendorEvidence;
private final EvidenceCollection vendorEvidence;
/**
* A collection of product evidence.
*/
private EvidenceCollection productEvidence;
private final EvidenceCollection productEvidence;
/**
* A collection of version evidence.
*/
private EvidenceCollection versionEvidence;
private final EvidenceCollection versionEvidence;
/**
* Constructs a new Dependency object.
@@ -89,7 +89,7 @@ public class Dependency implements Comparable<Dependency> {
vendorEvidence = new EvidenceCollection();
productEvidence = new EvidenceCollection();
versionEvidence = new EvidenceCollection();
identifiers = new ArrayList<Identifier>();
identifiers = new TreeSet<Identifier>();
vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
}
@@ -222,7 +222,7 @@ public class Dependency implements Comparable<Dependency> {
*
* @return an ArrayList of Identifiers.
*/
public List<Identifier> getIdentifiers() {
public Set<Identifier> getIdentifiers() {
return this.identifiers;
}
@@ -231,7 +231,7 @@ public class Dependency implements Comparable<Dependency> {
*
* @param identifiers A list of Identifiers.
*/
public void setIdentifiers(List<Identifier> identifiers) {
public void setIdentifiers(Set<Identifier> identifiers) {
this.identifiers = identifiers;
}
@@ -379,8 +379,8 @@ public class Dependency implements Comparable<Dependency> {
if (str == null) {
return false;
}
if (vendorEvidence.containsUsedString(str)) {
return versionEvidence.containsUsedString(str) || productEvidence.containsUsedString(str) || vendorEvidence.containsUsedString(str);
/*if (vendorEvidence.containsUsedString(str)) {
return true;
}
if (productEvidence.containsUsedString(str)) {
@@ -390,6 +390,7 @@ public class Dependency implements Comparable<Dependency> {
return true;
}
return false;
*/
}
/**
* A list of vulnerabilities for this dependency.
@@ -474,7 +475,7 @@ public class Dependency implements Comparable<Dependency> {
relatedDependencies.add(dependency);
}
/**
* Implemenation of the Comparable<Dependency> interface. The comparison
* Implementation of the Comparable<Dependency> interface. The comparison
* is solely based on the file name.
* @param o a dependency to compare
* @return an integer representing the natural ordering
@@ -482,4 +483,93 @@ public class Dependency implements Comparable<Dependency> {
public int compareTo(Dependency o) {
return this.getFileName().compareToIgnoreCase(o.getFileName());
}
/**
* Implementation of the equals method.
* @param obj the object to compare
* @return true if the objects are equal, otherwise false
*/
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Dependency other = (Dependency) obj;
if ((this.actualFilePath == null) ? (other.actualFilePath != null) : !this.actualFilePath.equals(other.actualFilePath)) {
return false;
}
if ((this.filePath == null) ? (other.filePath != null) : !this.filePath.equals(other.filePath)) {
return false;
}
if ((this.fileName == null) ? (other.fileName != null) : !this.fileName.equals(other.fileName)) {
return false;
}
if ((this.fileExtension == null) ? (other.fileExtension != null) : !this.fileExtension.equals(other.fileExtension)) {
return false;
}
if ((this.md5sum == null) ? (other.md5sum != null) : !this.md5sum.equals(other.md5sum)) {
return false;
}
if ((this.sha1sum == null) ? (other.sha1sum != null) : !this.sha1sum.equals(other.sha1sum)) {
return false;
}
if (this.identifiers != other.identifiers && (this.identifiers == null || !this.identifiers.equals(other.identifiers))) {
return false;
}
if (this.vendorEvidence != other.vendorEvidence && (this.vendorEvidence == null || !this.vendorEvidence.equals(other.vendorEvidence))) {
return false;
}
if (this.productEvidence != other.productEvidence && (this.productEvidence == null || !this.productEvidence.equals(other.productEvidence))) {
return false;
}
if (this.versionEvidence != other.versionEvidence && (this.versionEvidence == null || !this.versionEvidence.equals(other.versionEvidence))) {
return false;
}
if (this.analysisExceptions != other.analysisExceptions
&& (this.analysisExceptions == null || !this.analysisExceptions.equals(other.analysisExceptions))) {
return false;
}
if ((this.description == null) ? (other.description != null) : !this.description.equals(other.description)) {
return false;
}
if ((this.license == null) ? (other.license != null) : !this.license.equals(other.license)) {
return false;
}
if (this.vulnerabilities != other.vulnerabilities && (this.vulnerabilities == null || !this.vulnerabilities.equals(other.vulnerabilities))) {
return false;
}
if (this.relatedDependencies != other.relatedDependencies
&& (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
return false;
}
return true;
}
/**
* Generates the HashCode.
* @return the HashCode
*/
@Override
public int hashCode() {
int hash = 3;
hash = 47 * hash + (this.actualFilePath != null ? this.actualFilePath.hashCode() : 0);
hash = 47 * hash + (this.filePath != null ? this.filePath.hashCode() : 0);
hash = 47 * hash + (this.fileName != null ? this.fileName.hashCode() : 0);
hash = 47 * hash + (this.fileExtension != null ? this.fileExtension.hashCode() : 0);
hash = 47 * hash + (this.md5sum != null ? this.md5sum.hashCode() : 0);
hash = 47 * hash + (this.sha1sum != null ? this.sha1sum.hashCode() : 0);
hash = 47 * hash + (this.identifiers != null ? this.identifiers.hashCode() : 0);
hash = 47 * hash + (this.vendorEvidence != null ? this.vendorEvidence.hashCode() : 0);
hash = 47 * hash + (this.productEvidence != null ? this.productEvidence.hashCode() : 0);
hash = 47 * hash + (this.versionEvidence != null ? this.versionEvidence.hashCode() : 0);
hash = 47 * hash + (this.analysisExceptions != null ? this.analysisExceptions.hashCode() : 0);
hash = 47 * hash + (this.description != null ? this.description.hashCode() : 0);
hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
return hash;
}
}

10
src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.dependency;
/**
* Evidence is a piece of information about a Dependency.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Evidence implements Comparable<Evidence> {

18
src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.utils.Filter;
/**
* Used to maintain a collection of Evidence.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class EvidenceCollection implements Iterable<Evidence> {
@@ -80,7 +80,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
*
* @param confidence the confidence level for the evidence to be iterated
* over.
* @return Iterable<Evidence>.
* @return Iterable<Evidence> an iterable collectoin of evidence
*/
public final Iterable<Evidence> iterator(Evidence.Confidence confidence) {
if (confidence == Evidence.Confidence.HIGH) {
@@ -94,11 +94,11 @@ public class EvidenceCollection implements Iterable<Evidence> {
/**
* A collection of evidence.
*/
private Set<Evidence> list;
private final Set<Evidence> list;
/**
* A collection of strings used to adjust lucene's term weighting.
* A collection of strings used to adjust Lucene's term weighting.
*/
private Set<String> weightedStrings;
private final Set<String> weightedStrings;
/**
* Creates a new EvidenceCollection.

14
src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.dependency;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Identifier implements Comparable<Identifier> {
@@ -31,7 +31,7 @@ public class Identifier implements Comparable<Identifier> {
* @param value the identifier value.
* @param url the identifier url.
*/
Identifier(String type, String value, String url) {
public Identifier(String type, String value, String url) {
this.type = type;
this.value = value;
this.url = url;
@@ -45,7 +45,7 @@ public class Identifier implements Comparable<Identifier> {
* @param url the identifier url.
* @param description the description of the identifier.
*/
Identifier(String type, String value, String url, String description) {
public Identifier(String type, String value, String url, String description) {
this(type, value, url);
this.description = description;
}

10
src/main/java/org/owasp/dependencycheck/dependency/Reference.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -24,7 +24,7 @@ import java.io.Serializable;
* An external reference for a vulnerability. This contains a name, URL, and a
* source.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Reference implements Serializable, Comparable<Reference> {

10
src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -26,7 +26,7 @@ import java.util.TreeSet;
/**
* Contains the information about a vulnerability.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class Vulnerability implements Serializable, Comparable<Vulnerability> {

10
src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.util.Comparator;
/**
* Comparator for Vulnerability objects.
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
/**

10
src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import org.owasp.dependencycheck.data.cpe.Entry;
* A record containing information about vulnerable software. This
* is referenced from a vulnerability.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class VulnerableSoftware extends Entry implements Serializable, Comparable<VulnerableSoftware> {

76
src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -44,18 +44,36 @@ import org.owasp.dependencycheck.dependency.Dependency;
* the generator uses the Velocity Templating Engine. The ReportGenerator exposes
* a list of Dependencies to the template when generating the report.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class ReportGenerator {
/**
* An enumeration of the report formats.
*/
public enum Format {
/**
* Generate all reports.
*/
ALL,
/**
* Generate XML report.
*/
XML,
/**
* Generate HTML report.
*/
HTML
}
/**
* The Velocity Engine.
*/
private VelocityEngine engine;
private final VelocityEngine engine;
/**
* The Velocity Engine Context.
*/
private Context context;
private final Context context;
/**
* Constructs a new ReportGenerator.
@@ -82,6 +100,7 @@ public class ReportGenerator {
*/
private VelocityEngine createVelocityEngine() {
final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve;
@@ -105,18 +124,39 @@ public class ReportGenerator {
/**
* Generates the Dependency Reports for the identified dependencies.
*
* @param outputDir the path where the reports should be written.
* @param outputFormat the format the report should be written in.
* @throws IOException is thrown when the template file does not exist.
* @param outputDir the path where the reports should be written
* @param format the format the report should be written in
* @throws IOException is thrown when the template file does not exist
* @throws Exception is thrown if there is an error writing out the
* reports.
*/
public void generateReports(String outputDir, Format format) throws IOException, Exception {
if (format == Format.XML || format == Format.ALL) {
generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
}
if (format == Format.HTML || format == Format.ALL) {
generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
}
}
/**
* Generates the Dependency Reports for the identified dependencies.
*
* @param outputDir the path where the reports should be written
* @param outputFormat the format the report should be written in (XML, HTML, ALL)
* @throws IOException is thrown when the template file does not exist
* @throws Exception is thrown if there is an error writing out the
* reports.
*/
public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
if ("XML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
if ("XML".equalsIgnoreCase(outputFormat)) {
generateReports(outputDir, Format.XML);
}
if ("HTML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
if ("HTML".equalsIgnoreCase(outputFormat)) {
generateReports(outputDir, Format.HTML);
}
if ("ALL".equalsIgnoreCase(outputFormat)) {
generateReports(outputDir, Format.ALL);
}
}
@@ -130,7 +170,7 @@ public class ReportGenerator {
* @throws IOException is thrown when the template file does not exist.
* @throws Exception is thrown when an exception occurs.
*/
public void generateReport(String templateName, String outFileName) throws IOException, Exception {
protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
InputStream input = null;
String templatePath = null;
final File f = new File(templateName);
@@ -154,9 +194,13 @@ public class ReportGenerator {
OutputStream outputStream = null;
try {
final File outDir = new File(outFileName).getParentFile();
if (!outDir.exists()) {
outDir.mkdirs();
}
outputStream = new FileOutputStream(outFileName);
writer = new OutputStreamWriter(outputStream, "UTF-8");
//writer = new BufferedWriter(oswriter);
if (!engine.evaluate(context, writer, templatePath, reader)) {
throw new Exception("Failed to convert the template into html.");

103
src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java Normal file
View File

@@ -0,0 +1,103 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Steve Springett. All Rights Reserved.
*/
package org.owasp.dependencycheck.reporting;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.log.LogChute;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* <p>DependencyCheck uses {@link java.util.logging.Logger} as a logging framework,
* and Apache Velocity uses a custom logging implementation that outputs to a
* file named velocity.log by default. This class is an implementation of a
* custom Velocity logger that redirects all velocity logging to the Java Logger
* class.
* </p><p>
* This class was written to address permission issues when using Dependency-Check
* in a server environment (such as the Jenkins plugin). In some circumstances,
* Velocity would attempt to create velocity.log in an un-writable directory.</p>
*
* @author Steve Springett (steve.springett@owasp.org)
*/
public class VelocityLoggerRedirect implements LogChute {
/**
* This will be invoked once by the LogManager.
* @param rsvc the RuntimeServices
*/
public void init(RuntimeServices rsvc) {
// do nothing
}
/**
* Given a Velocity log level and message, this method will
* call the appropriate Logger level and log the specified values.
* @param level the logging level
* @param message the message to be logged
*/
public void log(int level, String message) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
}
/**
* Given a Velocity log level, message and Throwable, this method will
* call the appropriate Logger level and log the specified values.
* @param level the logging level
* @param message the message to be logged
* @param t a throwable to log
*/
public void log(int level, String message, Throwable t) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
}
/**
* Will always return true. The property file will decide what level to log.
* @param level the logging level
* @return true
*/
public boolean isLevelEnabled(int level) {
return true;
}
/**
* Maps Velocity log levels to {@link Logger} values.
* @param velocityLevel the logging level
* @return the logging level
*/
private Level getLevel(int velocityLevel) {
switch (velocityLevel) {
case TRACE_ID:
return Level.ALL;
case DEBUG_ID:
return Level.FINE;
case INFO_ID:
return Level.INFO;
case WARN_ID:
return Level.WARNING;
case ERROR_ID:
return Level.SEVERE;
default:
return Level.INFO;
}
}
}

119
src/main/java/org/owasp/dependencycheck/utils/CliParser.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -33,7 +33,7 @@ import org.apache.commons.cli.PosixParser;
/**
* A utility to parse command line arguments for the DependencyCheck.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class CliParser {
@@ -44,7 +44,7 @@ public final class CliParser {
/**
* The options for the command line parser.
*/
private Options options = createCommandLineOptions();
private final Options options = createCommandLineOptions();
/**
* Indicates whether the arguments are valid.
*/
@@ -75,8 +75,7 @@ public final class CliParser {
*/
private CommandLine parseArgs(String[] args) throws ParseException {
final CommandLineParser parser = new PosixParser();
final CommandLine ln = parser.parse(options, args);
return ln;
return parser.parse(options, args);
}
/**
@@ -102,7 +101,7 @@ public final class CliParser {
+ "the 'out' argument.");
}
}
if (!line.hasOption(ArgumentName.APPNAME)) {
if (!line.hasOption(ArgumentName.APP_NAME)) {
throw new ParseException("Scan cannot be run without specifying an application "
+ "name via the 'app' argument.");
}
@@ -160,21 +159,30 @@ public final class CliParser {
final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
"print this message.");
final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
"shows additional help regarding properties file.");
final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
"extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
false, "print the version information.");
final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
false, "disables the automatic updating of the CPE data.");
final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
.withDescription("the name of the application being scanned.")
.create(ArgumentName.APPNAME_SHORT);
.create(ArgumentName.APP_NAME_SHORT);
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
.withDescription("the connection timeout (in milliseconds) to use when downloading resources.")
.create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
.withDescription("the proxy url to use when downloading resources.")
.create(ArgumentName.PROXY_URL_SHORT);
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
.withDescription("the proxy port to use when downloading resources.")
.create(ArgumentName.PROXY_PORT_SHORT);
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
.withDescription("the path to scan - this option can be specified multiple times.")
@@ -188,26 +196,26 @@ public final class CliParser {
.withDescription("the folder to write reports to.")
.create(ArgumentName.OUT_SHORT);
final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
.withDescription("the output format to write to (XML, HTML, ALL).")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
//TODO add the ability to load a properties file to override the defaults...
final OptionGroup og = new OptionGroup();
og.addOption(path);
final Options opts = new Options();
opts.addOptionGroup(og);
opts.addOption(out);
opts.addOption(outputformat);
opts.addOption(appname);
opts.addOption(outputFormat);
opts.addOption(appName);
opts.addOption(version);
opts.addOption(help);
opts.addOption(noupdate);
opts.addOption(noUpdate);
opts.addOption(deepScan);
opts.addOption(props);
opts.addOption(advancedHelp);
opts.addOption(proxyPort);
opts.addOption(proxyUrl);
opts.addOption(connectionTimeout);
return opts;
}
@@ -245,16 +253,6 @@ public final class CliParser {
public void printHelp() {
final HelpFormatter formatter = new HelpFormatter();
final String nl = System.getProperty("line.separator");
String advancedHelp = null;
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
advancedHelp = nl + nl
+ "Additionally, the following properties are supported and can be specified either"
+ "using the -p <file> argument or by passing them in as system properties." + nl
+ nl + " " + Settings.KEYS.PROXY_URL + "\t\t the proxy URL to use when downloading resources."
+ nl + " " + Settings.KEYS.PROXY_PORT + "\t\t the proxy port to use when downloading resources."
+ nl + " " + Settings.KEYS.CONNECTION_TIMEOUT + "\t the connection timeout (in milliseconds) to use"
+ nl + "\t\t\t when downloading resources.";
}
formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
nl + Settings.getString("application.name", "DependencyCheck")
@@ -264,9 +262,6 @@ public final class CliParser {
options,
"",
true);
if (advancedHelp != null) {
System.out.println(advancedHelp);
}
}
/**
@@ -305,7 +300,31 @@ public final class CliParser {
* @return the application name.
*/
public String getApplicationName() {
return line.getOptionValue(ArgumentName.APPNAME);
return line.getOptionValue(ArgumentName.APP_NAME);
}
/**
* Returns the connection timeout.
* @return the connection timeout
*/
public String getConnectionTimeout() {
return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
}
/**
* Returns the proxy url.
* @return the proxy url
*/
public String getProxyUrl() {
return line.getOptionValue(ArgumentName.PROXY_URL);
}
/**
* Returns the proxy port.
* @return the proxy port
*/
public String getProxyPort() {
return line.getOptionValue(ArgumentName.PROXY_PORT);
}
/**
@@ -385,12 +404,12 @@ public final class CliParser {
* The long CLI argument name specifying the name of the application to
* be scanned.
*/
public static final String APPNAME = "app";
public static final String APP_NAME = "app";
/**
* The short CLI argument name specifying the name of the application to
* be scanned.
*/
public static final String APPNAME_SHORT = "a";
public static final String APP_NAME_SHORT = "a";
/**
* The long CLI argument name asking for help.
*/
@@ -408,13 +427,29 @@ public final class CliParser {
*/
public static final String VERSION = "version";
/**
* The CLI argument name asking for advanced help.
* The short CLI argument name indicating the proxy port.
*/
public static final String ADVANCED_HELP_SHORT = "ah";
public static final String PROXY_PORT_SHORT = "p";
/**
* The short CLI argument name asking for advanced help.
* The CLI argument name indicating the proxy port.
*/
public static final String ADVANCED_HELP = "advancedhelp";
public static final String PROXY_PORT = "proxyport";
/**
* The short CLI argument name indicating the proxy url.
*/
public static final String PROXY_URL_SHORT = "u";
/**
* The CLI argument name indicating the proxy url.
*/
public static final String PROXY_URL = "proxyurl";
/**
* The short CLI argument name indicating the proxy url.
*/
public static final String CONNECTION_TIMEOUT_SHORT = "c";
/**
* The CLI argument name indicating the proxy url.
*/
public static final String CONNECTION_TIMEOUT = "connectiontimeout";
/**
* The short CLI argument name indicating a deep scan of the dependencies
* should be performed.

114
src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java Normal file
View File

@@ -0,0 +1,114 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
/**
* <p>Simple object to track the parts of a version number. The parts are
* contained in a List such that version 1.2.3 will be stored as:
* <code>versionParts[0] = 1;
* versionParts[1] = 2;
* versionParts[2] = 3;
* </code></p>
* <p>Note, the parser contained in this class expects the version numbers to be
* separated by periods. If a different separator is used the parser will likely
* fail.</p>
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DependencyVersion implements Iterable {
/**
* Constructor for a empty DependencyVersion.
*/
public DependencyVersion() {
versionParts = new ArrayList<String>();
}
/**
* Constructor for a DependencyVersion that will parse a version string.
* @param version the version number to parse
*/
public DependencyVersion(String version) {
parseVersion(version);
}
/**
* Parses a version string into its sub parts: major, minor, revision, build, etc.
* @param version the version string to parse
*/
public final void parseVersion(String version) {
versionParts = new ArrayList<String>();
if (version != null) {
final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)");
final Matcher matcher = rx.matcher(version.toLowerCase());
while (matcher.find()) {
versionParts.add(matcher.group());
}
if (versionParts.isEmpty()) {
versionParts.add(version);
}
}
}
/**
* A list of the version parts.
*/
private List<String> versionParts;
/**
* Get the value of versionParts.
*
* @return the value of versionParts
*/
public List<String> getVersionParts() {
return versionParts;
}
/**
* Set the value of versionParts.
*
* @param versionParts new value of versionParts
*/
public void setVersionParts(List<String> versionParts) {
this.versionParts = versionParts;
}
/**
* Retrieves an iterator for the version parts.
*
* @return an iterator for the version parts
*/
public Iterator iterator() {
return versionParts.iterator();
}
/**
* Reconstructs the version string from the split version parts.
* @return a string representing the version.
*/
@Override
public String toString() {
return StringUtils.join(versionParts.toArray(), ".");
}
}

70
src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java Normal file
View File

@@ -0,0 +1,70 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.</p>
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class DependencyVersionUtil {
/**
* Regular expression to extract version numbers from file names.
*/
private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
/**
* Private constructor for utility class.
*/
private DependencyVersionUtil() {
}
/**
* <p>A utility class to extract version numbers from file names (or other strings
* containing version numbers.<br/>
* Example:<br/>
* Give the file name: library-name-1.4.1r2-release.jar<br/>
* This function would return: 1.4.1.r2</p>
*
* @param filename the filename being analyzed
* @return a DependencyVersion containing the version
*/
public static DependencyVersion parseVersionFromFileName(String filename) {
if (filename == null) {
return null;
}
String version = null;
final Matcher matcher = RX_VERSION.matcher(filename);
if (matcher.find()) {
version = matcher.group();
}
//throw away the results if there are two things that look like version numbers
if (matcher.find()) {
return null;
}
if (version == null) {
return null;
}
return new DependencyVersion(version);
}
}

10
src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.io.IOException;
/**
* An exception used when a download fails.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DownloadFailedException extends IOException {

12
src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -36,7 +36,7 @@ import java.util.zip.InflaterInputStream;
/**
* A utility to download files from the Internet.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class Downloader {
@@ -126,7 +126,7 @@ public final class Downloader {
writer = new BufferedOutputStream(new FileOutputStream(outputPath));
final byte[] buffer = new byte[4096];
int bytesRead = 0;
int bytesRead;
while ((bytesRead = reader.read(buffer)) > 0) {
writer.write(buffer, 0, bytesRead);
}

41
src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -21,11 +21,12 @@ package org.owasp.dependencycheck.utils;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URLDecoder;
/**
* A collection of utilities for processing information about files.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class FileUtils {
@@ -67,4 +68,34 @@ public final class FileUtils {
throw new FileNotFoundException("Failed to delete file: " + file);
}
}
/**
* Returns the data directory. If a path was specified in dependencycheck.properties
* or was specified using the Settings object, and the path exists, that path will be
* returned as a File object. If it does not exist, then a File object will be created
* based on the file location of the JAR containing the specified class.
*
* @param configuredFilePath the configured relative or absolute path
* @param clazz the class whos path will be resolved
* @return a File object
* @throws IOException is thrown if the path could not be decoded
*/
public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
final File file = new File(configuredFilePath);
if (file.exists() && file.isDirectory() && file.canWrite()) {
return new File(file.getCanonicalPath());
} else {
final String filePath = clazz.getProtectionDomain().getCodeSource().getLocation().getPath();
final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
final File path = new File(exePath.getCanonicalFile() + File.separator + configuredFilePath);
return new File(path.getCanonicalPath());
}
}
}

2
src/main/java/org/owasp/dependencycheck/utils/Filter.java
View File

@@ -31,7 +31,7 @@ public abstract class Filter<T> {
private class FilterIterator implements Iterator<T> {
private Iterator<T> iterator;
private final Iterator<T> iterator;
private T next;
private FilterIterator(Iterator<T> iterator) {

10
src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -23,7 +23,7 @@ import java.io.IOException;
/**
* An exception used when an error occurs reading a setting.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class InvalidSettingException extends IOException {

10
src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -26,7 +26,7 @@ import java.io.InputStream;
* processes the stream from closing it. This is necessary when dealing with
* things like JAXB and zipInputStreams.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NonClosingStream extends FilterInputStream {

19
src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -29,7 +29,7 @@ import java.util.logging.Logger;
/**
* A simple settings container that wraps the dependencycheck.properties file.
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public final class Settings {
@@ -37,7 +37,6 @@ public final class Settings {
* The collection of keys used within the properties file.
*/
public static final class KEYS {
/**
* private constructor because this is a "utility" class containing constants
*/
@@ -45,6 +44,12 @@ public final class Settings {
//do nothing
}
/**
* The properties key indicating whether or not the cached data sources
* should be updated.
*/
public static final String AUTO_UPDATE = "autoupdate";
/**
* The properties key for the path where the CPE Lucene Index will be
* stored.
@@ -145,7 +150,7 @@ public final class Settings {
try {
props.load(in);
} catch (IOException ex) {
Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, null, ex);
Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.", ex);
}
}

2
src/main/resources/configuration/dependencycheck.properties
View File

@@ -1,5 +1,6 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
# the path to the lucene index to store the cpe data
cpe=data/cpe
@@ -8,7 +9,6 @@ cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the path to the lucene index to store the nvd cve data
cve=data/cve
# the path to the nvd cve "meta" page where the timestamps for the last update files can be found.

20
src/main/resources/templates/HtmlReport.vsl
View File

@@ -1,22 +1,22 @@
#**
This file is part of DependencyCheck.
This file is part of Dependency-Check.
DependencyCheck is free software: you can redistribute it and/or modify
Dependency-Check is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
DependencyCheck is distributed in the hope that it will be useful,
Dependency-Check is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long (jeremy.long@gmail.com)
@author Jeremy Long (jeremy.long@owasp.org)
@version 1
*#
@@ -25,7 +25,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<!DOCTYPE html>
<html>
<head>
<title></title>
<title>Dependency-Check Report</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link rel="shortcut icon" href="data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAadEVYdFNvZnR3YXJlAFBhaW50Lk5FVCB2My41LjEwMPRyoQAAANVJREFUOE9jYKAi+A80Cxn/APLnA7EQsXaANB9BUiwJZD8C4ktAzEKMIegGgPRYQl0VTq4BfFADJpBlgIHjfxNV45P/gTQMnwOyPXAZhuIFoEJHkEZB8ej/DIysR4FsDiAugRqG1UtwA4CKWID4hZ7997VQL0wlyQtAzaYgm5QN9rSTFYhAzeEgA/hFAs5Bo5LoaAQnJAGxcHCgCYpHbSclIcG9CdRsBw2sFGL8jqEGFohAegVZBoA0waIRSEdDDUSOxgSiDAYlJCAGJR6iEhJRhqIrAgDHLHfYX71qMgAAAABJRU5ErkJggg==" />
<script type="text/javascript">
@@ -314,7 +314,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
@@ -368,7 +372,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)
<ul>
<li>File Path:&nbsp;$esc.html($dependency.FilePath)</li>
<li>File Path:&nbsp;$esc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
</ul>
@@ -394,7 +398,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#foreach($id in $dependency.getIdentifiers())
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
#if( $id.descrription )
#if( $id.description )
<br/>$esc.html($id.description)
#end
</li>

10
src/main/resources/templates/XmlReport.vsl
View File

@@ -1,22 +1,22 @@
#**
This file is part of DependencyCheck.
This file is part of Dependency-Check.
DependencyCheck is free software: you can redistribute it and/or modify
Dependency-Check is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
DependencyCheck is distributed in the hope that it will be useful,
Dependency-Check is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long (jeremy.long@gmail.com)
@author Jeremy Long (jeremy.long@owasp.org)
@version 1
*#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check">

10
src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class EngineIntegrationTest {

10
src/test/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class AbstractAnalyzerTest {

10
src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class AnalyzerServiceTest {

10
src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FileNameAnalyzerTest {

10
src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class JarAnalyzerTest {

25
src/test/java/org/owasp/dependencycheck/data/cpe/BaseIndexTestCase.java
View File

@@ -1,42 +1,41 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.cpe;
import org.owasp.dependencycheck.data.cpe.Index;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public abstract class BaseIndexTestCase {
@@ -59,17 +58,7 @@ public abstract class BaseIndexTestCase {
protected static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
return path;
return FileUtils.getDataDirectory(fileName, Index.class);
}
public static void ensureIndexExists() throws Exception {

16
src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,10 +31,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
import org.junit.Assert;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.Identifier;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CPEAnalyzerTest extends BaseIndexTestCase {
@@ -110,6 +111,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
CPEAnalyzer instance = new CPEAnalyzer();
instance.open();
String expResult = "cpe:/a:apache:struts:2.1.2";
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
instance.determineCPE(depends);
@@ -117,7 +119,9 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
instance.determineCPE(spring3);
instance.close();
Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().contains(expIdentifier));
//the following two only work if the HintAnalyzer is used.
//Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
//Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));

10
src/test/java/org/owasp/dependencycheck/data/cpe/EntryTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import org.junit.Assert;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class EntryTest {

10
src/test/java/org/owasp/dependencycheck/data/cpe/IndexIntegrationTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class IndexIntegrationTest {

16
src/test/java/org/owasp/dependencycheck/data/cpe/IndexTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,11 +28,12 @@ import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class IndexTest {
@@ -61,7 +62,8 @@ public class IndexTest {
try {
instance.open();
} catch (IOException ex) {
Assert.fail(ex.getMessage());
assertNull(ex.getMessage(), ex);
//Assert.fail(ex.getMessage());
}
instance.close();
}
@@ -76,6 +78,6 @@ public class IndexTest {
Directory result = index.getDirectory();
String exp = File.separatorChar + "target" + File.separatorChar + "data" + File.separatorChar + "cpe";
Assert.assertTrue(result.toString().contains(exp));
assertTrue(result.toString().contains(exp));
}
}

12
src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CweDBTest {
@@ -54,7 +54,7 @@ public class CweDBTest {
/**
* Method to serialize the CWE HashMap. This is not used in
* production; this is only used once during dev to create
* the serialized hashmap.
* the serialized HashMap.
*/
// @Test
// public void testUpdate() throws Exception {

10
src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -49,7 +49,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FieldAnalyzerTest {

10
src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class LuceneUtilsTest {

24
src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -25,15 +25,15 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import junit.framework.TestCase;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public abstract class BaseDBTestCase extends TestCase {
@@ -49,17 +49,7 @@ public abstract class BaseDBTestCase extends TestCase {
protected static File getDataDirectory() throws IOException {
String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
exePath = exePath.getParentFile();
} else {
exePath = new File(".");
}
File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
path = new File(path.getCanonicalPath());
return path;
return FileUtils.getDataDirectory(fileName, Index.class);
}
public static void ensureDBExists() throws Exception {

10
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdaterIntegrationTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DatabaseUpdaterIntegrationTest {

10
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_1_2_HandlerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve_1_2_HandlerTest {

10
src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_2_0_HandlerTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class NvdCve_2_0_HandlerTest {

32
src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -1,5 +1,24 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
import java.util.Set;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -15,7 +34,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DependencyTest {
@@ -208,7 +227,7 @@ public class DependencyTest {
public void testGetIdentifiers() {
Dependency instance = new Dependency();
List expResult = null;
List result = instance.getIdentifiers();
Set<Identifier> result = instance.getIdentifiers();
assertTrue(true); //this is just a getter setter pair.
}
@@ -218,7 +237,7 @@ public class DependencyTest {
*/
@Test
public void testSetIdentifiers() {
List<Identifier> identifiers = null;
Set<Identifier> identifiers = null;
Dependency instance = new Dependency();
instance.setIdentifiers(identifiers);
assertTrue(true); //this is just a getter setter pair.
@@ -232,13 +251,12 @@ public class DependencyTest {
String type = "cpe";
String value = "cpe:/a:apache:struts:2.1.2";
String url = "http://somewhere";
Identifier expResult = new Identifier(type,value,url);
Dependency instance = new Dependency();
instance.addIdentifier(type, value, url);
assertEquals(1,instance.getIdentifiers().size());
Identifier i = instance.getIdentifiers().get(0);
assertEquals(type,i.getType());
assertEquals(value, i.getValue());
assertEquals(url, i.getUrl());
assertTrue("Identifier doesn't contain expected result.", instance.getIdentifiers().contains(expResult));
}
/**

20
src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
View File

@@ -1,6 +1,20 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.dependency;
@@ -13,7 +27,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class VulnerableSoftwareTest {

10
src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -27,7 +27,7 @@ import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class ReportGeneratorTest {

10
src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -31,7 +31,7 @@ import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class ChecksumTest {

10
src/test/java/org/owasp/dependencycheck/utils/CliParserTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -34,7 +34,7 @@ import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class CliParserTest {

80
src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java Normal file
View File

@@ -0,0 +1,80 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DependencyVersionUtilTest {
public DependencyVersionUtilTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of parseVersionFromFileName method, of class DependencyVersionUtil.
*/
@Test
public void testParseVersionFromFileName() {
final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
"lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
"lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar"};
final String[] expResult = {"0.9.5", "1.1", "1.5.r4", "1.2.5", "4.4.0", "2.0.0.rc1",
"2.0.1.r114940", "2.3.11.r121413", "3.7"};
for (int i = 0; i < fileName.length; i++) {
final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(fileName[i]);
String result = null;
if (version != null) {
result = version.toString();
}
assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
}
String[] failingNames = { "no-version-identified.jar", "somelib-04aug2000r7-dev.jar", "no.version15.jar",
"lib_1.0_spec-1.1.jar", "lib-api_1.0_spec-1.0.1.jar" };
for (String failingName : failingNames) {
final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(failingName);
assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
}
}
}

10
src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class DownloaderIntegrationTest {

81
src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java Normal file
View File

@@ -0,0 +1,81 @@
/*
* This file is part of Dependency-Check.
*
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.File;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FileUtilsTest {
public FileUtilsTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of getFileExtension method, of class FileUtils.
*/
@Test
public void testGetFileExtension() {
String[] fileName = { "something-0.9.5.jar", "lib2-1.1.js" };
String[] expResult = { "jar", "js" };
for (int i = 0; i < fileName.length; i++) {
String result = FileUtils.getFileExtension(fileName[i]);
assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
}
}
/**
* Test of delete method, of class FileUtils.
*/
@Test
public void testDelete() throws Exception {
File file = File.createTempFile("tmp", "deleteme");
if (!file.exists()) {
fail("Unable to create a temporary file.");
}
FileUtils.delete(file);
assertFalse("Temporary file exists after attempting deletion", file.exists());
}
}

10
src/test/java/org/owasp/dependencycheck/utils/FilterTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class FilterTest {

10
src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
View File

@@ -1,18 +1,18 @@
/*
* This file is part of DependencyCheck.
* This file is part of Dependency-Check.
*
* DependencyCheck is free software: you can redistribute it and/or modify it
* Dependency-Check is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* DependencyCheck is distributed in the hope that it will be useful, but
* Dependency-Check is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* DependencyCheck. If not, see http://www.gnu.org/licenses/.
* Dependency-Check. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
@@ -32,7 +32,7 @@ import org.junit.Test;
/**
*
* @author Jeremy Long (jeremy.long@gmail.com)
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class SettingsTest {

BIN
src/test/resources/axis2-1.4.1.jar Normal file
View File

Binary file not shown.

BIN
src/test/resources/axis2-adb-1.4.1.jar Normal file
View File

Binary file not shown.

BIN
src/test/resources/axis2-adb-codegen-1.4.1.jar Normal file
View File

Binary file not shown.

BIN
src/test/resources/axis2-ant-plugin-1.4.1.jar Normal file
View File

Binary file not shown.

BIN
src/test/resources/axis2-clustering-1.4.1.jar Normal file
View File

Binary file not shown.

BIN
src/test/resources/axis2-codegen-1.4.1.jar Normal file
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More