mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
Compare commits
70 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
550d6ca083 | ||
|
|
b425411357 | ||
|
|
a1f0cf749d | ||
|
|
22e0d1c74e | ||
|
|
cdc07047aa | ||
|
|
c832c2da28 | ||
|
|
8daa713639 | ||
|
|
e0a2966706 | ||
|
|
354bfa14f9 | ||
|
|
46b91702ba | ||
|
|
de9516e368 | ||
|
|
3924e07e5c | ||
|
|
76bcbb5a7e | ||
|
|
8022381d1c | ||
|
|
feb1233081 | ||
|
|
36eefd0836 | ||
|
|
0e31e59759 | ||
|
|
4a4c1e75da | ||
|
|
b0bfd2292a | ||
|
|
7214b24357 | ||
|
|
24637f496f | ||
|
|
d8ecde5265 | ||
|
|
28840c6209 | ||
|
|
1696213406 | ||
|
|
6f315ac765 | ||
|
|
a485307d92 | ||
|
|
3d3b861ba0 | ||
|
|
4b33ed25d5 | ||
|
|
e264880c7b | ||
|
|
ef8212701f | ||
|
|
492157a502 | ||
|
|
2605bc182e | ||
|
|
fe8dfdd804 | ||
|
|
bd917bc990 | ||
|
|
c5c32f683f | ||
|
|
5506e58c98 | ||
|
|
5af2d49b18 | ||
|
|
0fd35a4925 | ||
|
|
7ed20b1244 | ||
|
|
efa6a78255 | ||
|
|
8b58df3b34 | ||
|
|
0d2a090e1f | ||
|
|
7860d635a9 | ||
|
|
ba91c9fa9b | ||
|
|
b3630e0d5e | ||
|
|
f752285912 | ||
|
|
5a150d9b0e | ||
|
|
f0aa185832 | ||
|
|
9592f058d4 | ||
|
|
f630794e22 | ||
|
|
93636e89c5 | ||
|
|
585002c25c | ||
|
|
412ccc1be1 | ||
|
|
8b1306a36c | ||
|
|
81026e8dca | ||
|
|
dd440c8f9f | ||
|
|
76f3e4b27e | ||
|
|
5f5d3fdb66 | ||
|
|
853c92b87d | ||
|
|
00080f2abc | ||
|
|
55414208a3 | ||
|
|
5091499563 | ||
|
|
944b54d920 | ||
|
|
d023b2b2ff | ||
|
|
b45f9f514b | ||
|
|
239a9383e0 | ||
|
|
2190c0229c | ||
|
|
01ef14dc92 | ||
|
|
7b0784843c | ||
|
|
6fc805369e |
@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
|
||||
Copyright & License
|
||||
-
|
||||
|
||||
Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
|
||||
Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
|
||||
|
||||
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-ant</artifactId>
|
||||
|
||||
@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
|
||||
import org.slf4j.spi.LoggerFactoryBinder;
|
||||
|
||||
/**
|
||||
* The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
|
||||
* The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
|
||||
* returned by this class.
|
||||
*
|
||||
* @author colezlaw
|
||||
|
||||
@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<item name="dependency-check" href="../index.html"/>
|
||||
</breadcrumbs>
|
||||
<menu name="Getting Started">
|
||||
<item name="Installation" href="installation.html"/>
|
||||
<item name="Installation" href="index.html"/>
|
||||
<item name="Configuration" href="configuration.html"/>
|
||||
</menu>
|
||||
<menu ref="reports" />
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-cli</artifactId>
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-core</artifactId>
|
||||
@@ -454,6 +454,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<scope>test</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>xalan</artifactId>
|
||||
<version>2.7.0</version>
|
||||
<scope>test</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<profiles>
|
||||
<profile>
|
||||
|
||||
@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
|
||||
*
|
||||
* <h2>Example:</h2>
|
||||
* <pre>
|
||||
* List<Dependency> dependencies = new ArrayList<Dependency>();
|
||||
* List<Dependency> dependencies = new ArrayList<Dependency>();
|
||||
* Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
|
||||
* dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
|
||||
* dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
|
||||
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
|
||||
* scan.execute();
|
||||
* </pre>
|
||||
*
|
||||
* @author Steve Springett <steve.springett@owasp.org>
|
||||
* @author Steve Springett
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class DependencyCheckScanAgent {
|
||||
|
||||
@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
* <p>
|
||||
* Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
|
||||
* that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
|
||||
*
|
||||
* @return the file filter used to determine which files are to be analyzed
|
||||
* <p/>
|
||||
* <p>
|
||||
* If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
|
||||
* loaded.</p>
|
||||
*
|
||||
* @return the file filter used to determine which files are to be analyzed
|
||||
*/
|
||||
protected abstract FileFilter getFileFilter();
|
||||
|
||||
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
* <p>
|
||||
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
|
||||
* declaration.</p>
|
||||
* <p/>
|
||||
* <p>
|
||||
* This implementation was copied from
|
||||
* http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
|
||||
|
||||
@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
|
||||
* Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
|
||||
* assuming they are generated by Autoconf, and contain certain special package descriptor variables.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
* @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
|
||||
*/
|
||||
public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
@@ -35,21 +35,19 @@ import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.logging.Level;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
|
||||
* <p/>
|
||||
* <p>
|
||||
* Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
|
||||
* inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
|
||||
* version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
|
||||
* identified.</p>
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -481,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
|
||||
* @throws AnalysisException is thrown if there is an issue analyzing the dependency.
|
||||
*/
|
||||
@Override
|
||||
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
||||
public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
|
||||
try {
|
||||
determineCPE(dependency);
|
||||
} catch (CorruptIndexException ex) {
|
||||
|
||||
@@ -44,27 +44,27 @@ import java.security.MessageDigest;
|
||||
public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* The logger
|
||||
* The logger.
|
||||
*/
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
|
||||
|
||||
/**
|
||||
* The analyzer name
|
||||
* The analyzer name.
|
||||
*/
|
||||
private static final String ANALYZER_NAME = "Composer.lock analyzer";
|
||||
|
||||
/**
|
||||
* composer.json
|
||||
* composer.json.
|
||||
*/
|
||||
private static final String COMPOSER_LOCK = "composer.lock";
|
||||
|
||||
/**
|
||||
* The FileFilter
|
||||
* The FileFilter.
|
||||
*/
|
||||
private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
|
||||
|
||||
/**
|
||||
* Returns the FileFilter
|
||||
* Returns the FileFilter.
|
||||
*
|
||||
* @return the FileFilter
|
||||
*/
|
||||
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Initializes the analyzer
|
||||
* Initializes the analyzer.
|
||||
*
|
||||
* @throws Exception
|
||||
* @throws Exception thrown if an exception occurs getting an instance of SHA1
|
||||
*/
|
||||
@Override
|
||||
protected void initializeFileTypeAnalyzer() throws Exception {
|
||||
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* The MessageDigest for calculating a new digest for the new dependencies added
|
||||
* The MessageDigest for calculating a new digest for the new dependencies added.
|
||||
*/
|
||||
private MessageDigest sha1 = null;
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@ import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.Enumeration;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
JarFile jar = null;
|
||||
try {
|
||||
jar = new JarFile(dependency.getActualFilePath());
|
||||
|
||||
final Manifest manifest = jar.getManifest();
|
||||
|
||||
if (manifest == null) {
|
||||
//don't log this for javadoc or sources jar files
|
||||
if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
|
||||
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
return false;
|
||||
}
|
||||
final Attributes atts = manifest.getMainAttributes();
|
||||
|
||||
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
|
||||
final EvidenceCollection productEvidence = dependency.getProductEvidence();
|
||||
final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
|
||||
|
||||
final String source = "Manifest";
|
||||
|
||||
String source = "Manifest";
|
||||
String specificationVersion = null;
|
||||
boolean hasImplementationVersion = false;
|
||||
|
||||
Attributes atts = manifest.getMainAttributes();
|
||||
for (Entry<Object, Object> entry : atts.entrySet()) {
|
||||
String key = entry.getKey().toString();
|
||||
String value = atts.getValue(key);
|
||||
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
// addMatchingValues(classInformation, value, productEvidence);
|
||||
} else {
|
||||
key = key.toLowerCase();
|
||||
|
||||
if (!IGNORE_KEYS.contains(key)
|
||||
&& !key.endsWith("jdk")
|
||||
&& !key.contains("lastmodified")
|
||||
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething = true;
|
||||
if (key.contains("version")) {
|
||||
if (!key.contains("specification")) {
|
||||
//versionEvidence.addEvidence(source, key, value, Confidence.LOW);
|
||||
//} else {
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
}
|
||||
} else if ("build-id".equals(key)) {
|
||||
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
final Map<String, Attributes> entries = manifest.getEntries();
|
||||
for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
|
||||
final String name = it.next();
|
||||
source = "manifest: " + name;
|
||||
atts = entries.get(name);
|
||||
for (Entry<Object, Object> entry : atts.entrySet()) {
|
||||
final String key = entry.getKey().toString();
|
||||
final String value = atts.getValue(key);
|
||||
if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
|
||||
foundSomething = true;
|
||||
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, vendorEvidence);
|
||||
} else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
|
||||
foundSomething = true;
|
||||
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
|
||||
addMatchingValues(classInformation, value, productEvidence);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (specificationVersion != null && !hasImplementationVersion) {
|
||||
foundSomething = true;
|
||||
versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
|
||||
versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
|
||||
}
|
||||
} finally {
|
||||
if (jar != null) {
|
||||
@@ -1011,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final String text = value.toLowerCase();
|
||||
for (ClassNameInformation cni : classes) {
|
||||
for (String key : cni.getPackageStructure()) {
|
||||
if (text.contains(key)) { //note, package structure elements are already lowercase.
|
||||
final Pattern p = Pattern.compile("\b" + key + "\b");
|
||||
if (p.matcher(text).find()) {
|
||||
//if (text.contains(key)) { //note, package structure elements are already lowercase.
|
||||
evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -43,7 +43,7 @@ import javax.json.JsonValue;
|
||||
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
|
||||
* associated CPE.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
|
||||
/**
|
||||
* Used to analyze OpenSSL source code present in the file system.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
|
||||
* Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
|
||||
* to determine the associated CPE.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
|
||||
/**
|
||||
* Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@ import java.util.*;
|
||||
/**
|
||||
* Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
|
||||
@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
* Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
|
||||
* Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
|
||||
* Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
|
||||
* expressions are used to parse the well-defined Ruby syntax that forms the specification.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
private static final String GEMSPEC = "gemspec";
|
||||
|
||||
private static final FileFilter FILTER =
|
||||
FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
|
||||
private static final FileFilter FILTER
|
||||
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
|
||||
|
||||
private static final String EMAIL = "email";
|
||||
|
||||
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
/**
|
||||
* The capture group #1 is the block variable.
|
||||
*/
|
||||
private static final Pattern GEMSPEC_BLOCK_INIT =
|
||||
Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
|
||||
private static final Pattern GEMSPEC_BLOCK_INIT
|
||||
= Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
|
||||
|
||||
@Override
|
||||
protected void analyzeFileType(Dependency dependency, Engine engine)
|
||||
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
private void addListEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
final Matcher matcher = Pattern.compile(
|
||||
String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
|
||||
if (matcher.find()) {
|
||||
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
private String addStringEvidence(EvidenceCollection evidences, String contents,
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
String blockVariable, String field, Confidence confidence) {
|
||||
final Matcher matcher = Pattern.compile(
|
||||
String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
|
||||
String value = "";
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
*
|
||||
* Contains classes related to searching Maven Central.<br/><br/>
|
||||
* Contains classes related to searching Maven Central.<br><br>
|
||||
*
|
||||
* These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
|
||||
*/
|
||||
|
||||
@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
|
||||
/**
|
||||
* Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
|
||||
*
|
||||
* @return a HashMap of CWE entries <String, String>
|
||||
* @return a HashMap of CWE entries <String, String>
|
||||
*/
|
||||
public HashMap<String, String> getCwe() {
|
||||
return cwe;
|
||||
|
||||
@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
|
||||
* <p>
|
||||
* Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
|
||||
* <p>
|
||||
* <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
|
||||
* <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
|
||||
@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
|
||||
* <p>
|
||||
* Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
|
||||
* <p>
|
||||
* <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
|
||||
* <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
|
||||
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
|
||||
|
||||
/**
|
||||
* Constructs a new VersionTokenizingFilter.
|
||||
*
|
||||
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
|
||||
}
|
||||
|
||||
/**
|
||||
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
|
||||
* concatenating tokens with the previous token.
|
||||
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
|
||||
* tokens with the previous token.
|
||||
*
|
||||
* @return whether or not we have hit the end of the TokenStream
|
||||
* @throws IOException is thrown when an IOException occurs
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Contains classes related to searching a Nexus repository.<br/><br/>
|
||||
* Contains classes related to searching a Nexus repository.<br><br>
|
||||
*
|
||||
* These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
|
||||
*/
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Contains classes related to parsing Nuget related files<br/><br/>
|
||||
* Contains classes related to parsing Nuget related files<br><br>
|
||||
* These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.nuget;
|
||||
|
||||
@@ -276,10 +276,13 @@ public final class ConnectionFactory {
|
||||
* execute it against the database. The upgrade script must update the 'version' in the properties table.
|
||||
*
|
||||
* @param conn the database connection object
|
||||
* @param schema the current schema version that is being upgraded
|
||||
* @param appExpectedVersion the schema version that the application expects
|
||||
* @param currentDbVersion the current schema version of the database
|
||||
* @throws DatabaseException thrown if there is an exception upgrading the database schema
|
||||
*/
|
||||
private static void updateSchema(Connection conn, String schema) throws DatabaseException {
|
||||
private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
|
||||
throws DatabaseException {
|
||||
|
||||
final String databaseProductName;
|
||||
try {
|
||||
databaseProductName = conn.getMetaData().getDatabaseProductName();
|
||||
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
|
||||
InputStream is = null;
|
||||
String updateFile = null;
|
||||
try {
|
||||
updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
|
||||
updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
|
||||
is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
|
||||
if (is == null) {
|
||||
throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
|
||||
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
|
||||
statement = conn.createStatement();
|
||||
final boolean success = statement.execute(dbStructureUpdate);
|
||||
if (!success && statement.getUpdateCount() <= 0) {
|
||||
throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
|
||||
throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
|
||||
currentDbVersion.toString()));
|
||||
}
|
||||
} catch (SQLException ex) {
|
||||
LOGGER.debug("", ex);
|
||||
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
|
||||
IOUtils.closeQuietly(is);
|
||||
}
|
||||
} else {
|
||||
LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
|
||||
throw new DatabaseException("Database schema is out of date");
|
||||
final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
|
||||
final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
|
||||
final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
|
||||
final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
|
||||
if (e0 == c0 && e1 < c1) {
|
||||
LOGGER.warn("A new version of dependency-check is available; consider upgrading");
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
} else if (e0 == c0 && e1 == c1) {
|
||||
//do nothing - not sure how we got here, but just incase...
|
||||
} else {
|
||||
LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
|
||||
UPGRADE_HELP_URL);
|
||||
throw new DatabaseException("Database schema is out of date");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
|
||||
cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
|
||||
rs = cs.executeQuery();
|
||||
if (rs.next()) {
|
||||
final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
|
||||
final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
|
||||
final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
|
||||
if (current.compareTo(db) > 0) {
|
||||
if (appDbVersion.compareTo(db) > 0) {
|
||||
LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
|
||||
LOGGER.debug("DB Schema: {}", rs.getString(1));
|
||||
updateSchema(conn, rs.getString(1));
|
||||
updateSchema(conn, appDbVersion, db);
|
||||
if (++callDepth < 10) {
|
||||
ensureSchemaVersion(conn);
|
||||
}
|
||||
|
||||
@@ -35,7 +35,6 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
|
||||
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
|
||||
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
|
||||
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
|
||||
import org.owasp.dependencycheck.exception.NoDataException;
|
||||
import org.owasp.dependencycheck.utils.DateUtil;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
@@ -69,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
public void update() throws UpdateException {
|
||||
try {
|
||||
openDataStores();
|
||||
if (checkUpdate()) {
|
||||
boolean autoUpdate = true;
|
||||
try {
|
||||
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
} catch (InvalidSettingException ex) {
|
||||
LOGGER.debug("Invalid setting for auto-update; using true.");
|
||||
}
|
||||
if (autoUpdate && checkUpdate()) {
|
||||
final UpdateableNvdCve updateable = getUpdatesNeeded();
|
||||
if (updateable.isUpdateNeeded()) {
|
||||
performUpdate(updateable);
|
||||
@@ -122,7 +127,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the CPE Index to ensure documents exists.
|
||||
* Checks the CVE Index to ensure data exists and analysis can continue.
|
||||
*
|
||||
* @return true if the database contains data
|
||||
*/
|
||||
private boolean dataExists() {
|
||||
CveDB cve = null;
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Contains classes used to parse the CPE XML file from NIST.<br/><br/>
|
||||
* Contains classes used to parse the CPE XML file from NIST.<br><br>
|
||||
*
|
||||
* These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
|
||||
* we may consider pulling the more descriptive data from the CPE data in the future.
|
||||
|
||||
@@ -22,6 +22,7 @@ import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.URL;
|
||||
import java.util.concurrent.Callable;
|
||||
import java.util.concurrent.ExecutorService;
|
||||
@@ -176,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
LOGGER.debug("", ex);
|
||||
return null;
|
||||
}
|
||||
if (url1.toExternalForm().endsWith(".xml.gz")) {
|
||||
if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
|
||||
extractGzip(first);
|
||||
}
|
||||
if (url2.toExternalForm().endsWith(".xml.gz")) {
|
||||
if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
|
||||
extractGzip(second);
|
||||
}
|
||||
|
||||
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
|
||||
System.currentTimeMillis() - startDownload);
|
||||
System.currentTimeMillis() - startDownload);
|
||||
if (this.processorService == null) {
|
||||
return null;
|
||||
}
|
||||
@@ -226,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the file header to see if it is an XML file.
|
||||
*
|
||||
* @param file the file to check
|
||||
* @return true if the file is XML
|
||||
*/
|
||||
public static boolean isXml(File file) {
|
||||
if (file == null || !file.isFile()) {
|
||||
return false;
|
||||
}
|
||||
InputStream is = null;
|
||||
try {
|
||||
is = new FileInputStream(file);
|
||||
|
||||
final byte[] buf = new byte[5];
|
||||
int read = 0;
|
||||
try {
|
||||
read = is.read(buf);
|
||||
} catch (IOException ex) {
|
||||
return false;
|
||||
}
|
||||
return read == 5
|
||||
&& buf[0] == '<'
|
||||
&& (buf[1] == '?')
|
||||
&& (buf[2] == 'x' || buf[2] == 'X')
|
||||
&& (buf[3] == 'm' || buf[3] == 'M')
|
||||
&& (buf[4] == 'l' || buf[4] == 'L');
|
||||
} catch (FileNotFoundException ex) {
|
||||
return false;
|
||||
} finally {
|
||||
if (is != null) {
|
||||
try {
|
||||
is.close();
|
||||
} catch (IOException ex) {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
|
||||
*
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
/**
|
||||
* Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
|
||||
* Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.update.nvd;
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
*
|
||||
* Contains classes used to update the data stores.<br/><br/>
|
||||
* Contains classes used to update the data stores.<br><br>
|
||||
*
|
||||
* The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
|
||||
* must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the
|
||||
|
||||
@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
|
||||
* Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
|
||||
*
|
||||
* @param o a dependency to compare
|
||||
* @return an integer representing the natural ordering
|
||||
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
}
|
||||
final Dependency other = (Dependency) obj;
|
||||
return new EqualsBuilder()
|
||||
.appendSuper(super.equals(obj))
|
||||
.append(this.actualFilePath, other.actualFilePath)
|
||||
.append(this.filePath, other.filePath)
|
||||
.append(this.fileName, other.fileName)
|
||||
.append(this.md5sum, other.md5sum)
|
||||
.append(this.sha1sum, other.sha1sum)
|
||||
.append(this.identifiers, other.identifiers)
|
||||
.append(this.vendorEvidence, other.vendorEvidence)
|
||||
.append(this.productEvidence, other.productEvidence)
|
||||
.append(this.versionEvidence, other.versionEvidence)
|
||||
.append(this.description, other.description)
|
||||
.append(this.license, other.license)
|
||||
.append(this.vulnerabilities, other.vulnerabilities)
|
||||
//.append(this.relatedDependencies, other.relatedDependencies)
|
||||
.append(this.projectReferences, other.projectReferences)
|
||||
.append(this.availableVersions, other.availableVersions)
|
||||
.isEquals();
|
||||
.appendSuper(super.equals(obj))
|
||||
.append(this.actualFilePath, other.actualFilePath)
|
||||
.append(this.filePath, other.filePath)
|
||||
.append(this.fileName, other.fileName)
|
||||
.append(this.md5sum, other.md5sum)
|
||||
.append(this.sha1sum, other.sha1sum)
|
||||
.append(this.identifiers, other.identifiers)
|
||||
.append(this.vendorEvidence, other.vendorEvidence)
|
||||
.append(this.productEvidence, other.productEvidence)
|
||||
.append(this.versionEvidence, other.versionEvidence)
|
||||
.append(this.description, other.description)
|
||||
.append(this.license, other.license)
|
||||
.append(this.vulnerabilities, other.vulnerabilities)
|
||||
//.append(this.relatedDependencies, other.relatedDependencies)
|
||||
.append(this.projectReferences, other.projectReferences)
|
||||
.append(this.availableVersions, other.availableVersions)
|
||||
.isEquals();
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
|
||||
.append(actualFilePath)
|
||||
.append(filePath)
|
||||
.append(fileName)
|
||||
.append(md5sum)
|
||||
.append(sha1sum)
|
||||
.append(identifiers)
|
||||
.append(vendorEvidence)
|
||||
.append(productEvidence)
|
||||
.append(versionEvidence)
|
||||
.append(description)
|
||||
.append(license)
|
||||
.append(vulnerabilities)
|
||||
//.append(relatedDependencies)
|
||||
.append(projectReferences)
|
||||
.append(availableVersions)
|
||||
.toHashCode();
|
||||
.append(actualFilePath)
|
||||
.append(filePath)
|
||||
.append(fileName)
|
||||
.append(md5sum)
|
||||
.append(sha1sum)
|
||||
.append(identifiers)
|
||||
.append(vendorEvidence)
|
||||
.append(productEvidence)
|
||||
.append(versionEvidence)
|
||||
.append(description)
|
||||
.append(license)
|
||||
.append(vulnerabilities)
|
||||
//.append(relatedDependencies)
|
||||
.append(projectReferences)
|
||||
.append(availableVersions)
|
||||
.toHashCode();
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
* Used to iterate over evidence of the specified confidence.
|
||||
*
|
||||
* @param confidence the confidence level for the evidence to be iterated over.
|
||||
* @return Iterable<Evidence> an iterable collection of evidence
|
||||
* @return Iterable<Evidence> an iterable collection of evidence
|
||||
*/
|
||||
public final Iterable<Evidence> iterator(Confidence confidence) {
|
||||
if (confidence == Confidence.HIGHEST) {
|
||||
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
|
||||
* location.
|
||||
*
|
||||
* @return Set<String>
|
||||
* @return Set<String>
|
||||
*/
|
||||
public Set<String> getWeighting() {
|
||||
return weightedStrings;
|
||||
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
/**
|
||||
* Implements the iterator interface for the Evidence Collection.
|
||||
*
|
||||
* @return an Iterator<Evidence>.
|
||||
* @return an Iterator<Evidence>
|
||||
*/
|
||||
@Override
|
||||
public Iterator<Evidence> iterator() {
|
||||
|
||||
@@ -22,7 +22,7 @@ import java.io.IOException;
|
||||
/**
|
||||
* An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
|
||||
*
|
||||
* @author Steve Springett <steve.springett@owasp.org>
|
||||
* @author Steve Springett
|
||||
*/
|
||||
public class ScanAgentException extends IOException {
|
||||
|
||||
|
||||
@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
|
||||
* logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
|
||||
* custom Velocity logger that redirects all velocity logging to the Java Logger class.
|
||||
* DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
|
||||
* that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
|
||||
* redirects all velocity logging to the Java Logger class.
|
||||
* </p><p>
|
||||
* This class was written to address permission issues when using Dependency-Check in a server environment (such as the
|
||||
* Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
|
||||
* directory.</p>
|
||||
* This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
|
||||
* plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
|
||||
*
|
||||
* @author Steve Springett <steve.springett@owasp.org>
|
||||
* @author Steve Springett
|
||||
*/
|
||||
public class VelocityLoggerRedirect implements LogChute {
|
||||
|
||||
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
|
||||
}
|
||||
|
||||
/**
|
||||
* Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
|
||||
* values.
|
||||
* Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
|
||||
*
|
||||
* @param level the logging level
|
||||
* @param message the message to be logged
|
||||
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
|
||||
}
|
||||
|
||||
/**
|
||||
* Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
|
||||
* specified values.
|
||||
* Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
|
||||
* values.
|
||||
*
|
||||
* @param level the logging level
|
||||
* @param message the message to be logged
|
||||
|
||||
@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
|
||||
* Example:<br/>
|
||||
* Give the file name: library-name-1.4.1r2-release.jar<br/>
|
||||
* This function would return: 1.4.1.r2</p>
|
||||
* A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
|
||||
* <pre>
|
||||
* Example:
|
||||
* Give the file name: library-name-1.4.1r2-release.jar
|
||||
* This function would return: 1.4.1.r2</pre>
|
||||
*
|
||||
* @param text the text being analyzed
|
||||
* @return a DependencyVersion containing the version
|
||||
|
||||
@@ -40,7 +40,7 @@ import java.util.Set;
|
||||
* FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
|
||||
* </pre>
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
* @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
|
||||
*/
|
||||
public class FileFilterBuilder {
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)
|
||||
@@ -0,0 +1,109 @@
|
||||
-- Drop
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -2289 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -2289 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -942 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -942 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -942 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -942 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -942 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
|
||||
|
||||
CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
|
||||
description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
|
||||
cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
|
||||
cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
|
||||
|
||||
CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
|
||||
CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
|
||||
|
||||
CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
|
||||
|
||||
CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
|
||||
, CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
|
||||
, CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
|
||||
|
||||
CREATE INDEX idxVulnerability ON vulnerability(cve);
|
||||
CREATE INDEX idxReference ON reference(cveid);
|
||||
CREATE INDEX idxCpe ON cpeEntry(cpe);
|
||||
CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
|
||||
CREATE INDEX idxSoftwareCve ON software(cveid);
|
||||
CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
|
||||
|
||||
CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
|
||||
|
||||
CREATE SEQUENCE cpeEntry_seq;
|
||||
CREATE SEQUENCE vulnerability_seq;
|
||||
|
||||
CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
|
||||
BEFORE INSERT
|
||||
ON VULNERABILITY
|
||||
REFERENCING NEW AS New OLD AS Old
|
||||
FOR EACH ROW
|
||||
BEGIN
|
||||
:new.ID := VULNERABILITY_SEQ.nextval;
|
||||
END VULNERABILITY_TRG;
|
||||
|
||||
CREATE OR REPLACE TRIGGER CPEENTRY_TRG
|
||||
BEFORE INSERT
|
||||
ON CPEENTRY
|
||||
REFERENCING NEW AS New OLD AS Old
|
||||
FOR EACH ROW
|
||||
BEGIN
|
||||
:new.ID := CPEENTRY_SEQ.nextval;
|
||||
END CPEENTRY_TRG;
|
||||
|
||||
@@ -161,6 +161,13 @@
|
||||
<gav regex="true">.*\bhk2\b.*</gav>
|
||||
<cpe>cpe:/a:oracle:glassfish</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
HK2-utils is flagged as glassfish.
|
||||
]]></notes>
|
||||
<filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
|
||||
<cpe>cpe:/a:oracle:glassfish</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
|
||||
@@ -233,6 +240,76 @@
|
||||
Note, there will be more false positives for Netty. Trying to figure out a better suppression.
|
||||
]]></notes>
|
||||
<gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
|
||||
<cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
|
||||
<cpe>cpe:/a:netty_project:netty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
JVM instrumentation to Ganglia
|
||||
]]></notes>
|
||||
<gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
|
||||
<cpe>cpe:/a:ganglia:ganglia</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
A reporter for Metrics which announces measurements to a Ganglia cluster
|
||||
]]></notes>
|
||||
<gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
|
||||
<cpe>cpe:/a:ganglia:ganglia</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
|
||||
<cpe>cpe:/a:jetty:jetty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
|
||||
<cpe>cpe:/a:jetty:jetty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
|
||||
<cpe>cpe:/a:jetty:jetty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
|
||||
<cpe>cpe:/a:jetty:jetty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
|
||||
<cpe>cpe:/a:jetty:jetty</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
drop wizard false positives
|
||||
]]></notes>
|
||||
<gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
|
||||
<cpe>cpe:/a:apache:httpclient</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
false positive in drop wizard
|
||||
]]></notes>
|
||||
<filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
|
||||
<cpe>cpe:/a:tiger:tiger</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
php cpe
|
||||
]]></notes>
|
||||
<filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
|
||||
<cpe>cpe:/a:class:class</cpe>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
|
||||
@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
|
||||
* obtained from outside open source software projects. Links to those projects
|
||||
* are given below.
|
||||
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
|
||||
* Links to those projects are given below.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
|
||||
* Project</a>
|
||||
* @author Dale Visser
|
||||
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
|
||||
* @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
|
||||
* @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
|
||||
*/
|
||||
public class AutoconfAnalyzerTest extends BaseTest {
|
||||
|
||||
/**
|
||||
* The analyzer to test.
|
||||
*/
|
||||
AutoconfAnalyzer analyzer;
|
||||
/**
|
||||
* The analyzer to test.
|
||||
*/
|
||||
AutoconfAnalyzer analyzer;
|
||||
|
||||
private void assertCommonEvidence(Dependency result, String product,
|
||||
String version, String vendor) {
|
||||
assertProductAndVersion(result, product, version);
|
||||
assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
|
||||
result.getVendorEvidence().toString().contains(vendor));
|
||||
}
|
||||
private void assertCommonEvidence(Dependency result, String product,
|
||||
String version, String vendor) {
|
||||
assertProductAndVersion(result, product, version);
|
||||
assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
|
||||
result.getVendorEvidence().toString().contains(vendor));
|
||||
}
|
||||
|
||||
private void assertProductAndVersion(Dependency result, String product,
|
||||
String version) {
|
||||
assertTrue("Expected product evidence to contain \"" + product + "\".",
|
||||
result.getProductEvidence().toString().contains(product));
|
||||
assertTrue("Expected version evidence to contain \"" + version + "\".",
|
||||
result.getVersionEvidence().toString().contains(version));
|
||||
}
|
||||
private void assertProductAndVersion(Dependency result, String product,
|
||||
String version) {
|
||||
assertTrue("Expected product evidence to contain \"" + product + "\".",
|
||||
result.getProductEvidence().toString().contains(product));
|
||||
assertTrue("Expected version evidence to contain \"" + version + "\".",
|
||||
result.getVersionEvidence().toString().contains(version));
|
||||
}
|
||||
|
||||
/**
|
||||
* Correctly setup the analyzer for testing.
|
||||
*
|
||||
* @throws Exception
|
||||
* thrown if there is a problem
|
||||
*/
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
analyzer = new AutoconfAnalyzer();
|
||||
analyzer.setFilesMatched(true);
|
||||
analyzer.initialize();
|
||||
}
|
||||
/**
|
||||
* Correctly setup the analyzer for testing.
|
||||
*
|
||||
* @throws Exception thrown if there is a problem
|
||||
*/
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
analyzer = new AutoconfAnalyzer();
|
||||
analyzer.setFilesMatched(true);
|
||||
analyzer.initialize();
|
||||
}
|
||||
|
||||
/**
|
||||
* Cleanup the analyzer's temp files, etc.
|
||||
*
|
||||
* @throws Exception
|
||||
* thrown if there is a problem
|
||||
*/
|
||||
@After
|
||||
public void tearDown() throws Exception {
|
||||
analyzer.close();
|
||||
analyzer = null;
|
||||
}
|
||||
/**
|
||||
* Cleanup the analyzer's temp files, etc.
|
||||
*
|
||||
* @throws Exception thrown if there is a problem
|
||||
*/
|
||||
@After
|
||||
public void tearDown() throws Exception {
|
||||
analyzer.close();
|
||||
analyzer = null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether expected evidence is gathered from Ghostscript's
|
||||
* configure.ac.
|
||||
*
|
||||
* @throws AnalysisException
|
||||
* is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureAC1() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/ghostscript/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
|
||||
}
|
||||
/**
|
||||
* Test whether expected evidence is gathered from Ghostscript's configure.ac.
|
||||
*
|
||||
* @throws AnalysisException is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureAC1() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/ghostscript/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether expected evidence is gathered from Readable's configure.ac.
|
||||
*
|
||||
* @throws AnalysisException
|
||||
* is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureAC2() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
}
|
||||
/**
|
||||
* Test whether expected evidence is gathered from Readable's configure.ac.
|
||||
*
|
||||
* @throws AnalysisException is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureAC2() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure.ac"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
}
|
||||
|
||||
private void assertReadableCodeEvidence(final Dependency result) {
|
||||
assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
|
||||
final String url = "http://readable.sourceforge.net/";
|
||||
assertTrue("Expected product evidence to contain \"" + url + "\".",
|
||||
result.getVendorEvidence().toString().contains(url));
|
||||
}
|
||||
private void assertReadableCodeEvidence(final Dependency result) {
|
||||
assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
|
||||
final String url = "http://readable.sourceforge.net/";
|
||||
assertTrue("Expected product evidence to contain \"" + url + "\".",
|
||||
result.getVendorEvidence().toString().contains(url));
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether expected evidence is gathered from GNU Binutil's configure.
|
||||
*
|
||||
* @throws AnalysisException
|
||||
* is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureScript() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/binutils/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertProductAndVersion(result, "binutils", "2.25.51");
|
||||
}
|
||||
/**
|
||||
* Test whether expected evidence is gathered from GNU Binutil's configure.
|
||||
*
|
||||
* @throws AnalysisException is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeConfigureScript() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/binutils/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertProductAndVersion(result, "binutils", "2.25.51");
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether expected evidence is gathered from GNU Ghostscript's
|
||||
* configure.
|
||||
*
|
||||
* @throws AnalysisException
|
||||
* is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeReadableConfigureScript() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
}
|
||||
/**
|
||||
* Test whether expected evidence is gathered from GNU Ghostscript's configure.
|
||||
*
|
||||
* @throws AnalysisException is thrown when an exception occurs.
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyzeReadableConfigureScript() throws AnalysisException {
|
||||
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
|
||||
this, "autoconf/readable-code/configure"));
|
||||
analyzer.analyze(result, null);
|
||||
assertReadableCodeEvidence(result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getName method, of {@link AutoconfAnalyzer}.
|
||||
*/
|
||||
@Test
|
||||
public void testGetName() {
|
||||
assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
|
||||
analyzer.getName());
|
||||
}
|
||||
/**
|
||||
* Test of getName method, of {@link AutoconfAnalyzer}.
|
||||
*/
|
||||
@Test
|
||||
public void testGetName() {
|
||||
assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
|
||||
analyzer.getName());
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of {@link AutoconfAnalyzer#accept(File)}.
|
||||
*/
|
||||
@Test
|
||||
public void testSupportsFileExtension() {
|
||||
assertTrue("Should support \"ac\" extension.",
|
||||
analyzer.accept(new File("configure.ac")));
|
||||
assertTrue("Should support \"in\" extension.",
|
||||
analyzer.accept(new File("configure.in")));
|
||||
assertTrue("Should support \"configure\" extension.",
|
||||
analyzer.accept(new File("configure")));
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Test of {@link AutoconfAnalyzer#accept(File)}.
|
||||
*/
|
||||
@Test
|
||||
public void testSupportsFileExtension() {
|
||||
assertTrue("Should support \"ac\" extension.",
|
||||
analyzer.accept(new File("configure.ac")));
|
||||
assertTrue("Should support \"in\" extension.",
|
||||
analyzer.accept(new File("configure.in")));
|
||||
assertTrue("Should support \"configure\" extension.",
|
||||
analyzer.accept(new File("configure")));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
|
||||
/**
|
||||
* Unit tests for CmakeAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class CMakeAnalyzerTest extends BaseDBTestCase {
|
||||
|
||||
|
||||
@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
|
||||
/**
|
||||
* Unit tests for NodePackageAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class ComposerLockAnalyzerTest extends BaseDBTestCase {
|
||||
|
||||
|
||||
@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
|
||||
import java.io.File;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testParseManifest() throws Exception {
|
||||
File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
|
||||
Dependency result = new Dependency(file);
|
||||
JarAnalyzer instance = new JarAnalyzer();
|
||||
List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
|
||||
instance.parseManifest(result, cni);
|
||||
|
||||
assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
|
||||
/**
|
||||
* Unit tests for NodePackageAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class NodePackageAnalyzerTest extends BaseTest {
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
|
||||
/**
|
||||
* Unit tests for OpenSSLAnalyzerAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class OpenSSLAnalyzerTest extends BaseTest {
|
||||
|
||||
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
|
||||
|
||||
@Test
|
||||
public void testVersionConstantExamples() {
|
||||
final long[] constants = {0x1000203fL
|
||||
, 0x00903000
|
||||
, 0x00903001
|
||||
, 0x00903002l
|
||||
, 0x0090300f
|
||||
, 0x0090301f
|
||||
, 0x0090400f
|
||||
, 0x102031af};
|
||||
final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
|
||||
final String[] versions = {"1.0.2c",
|
||||
"0.9.3-dev",
|
||||
"0.9.3-beta1",
|
||||
"0.9.3-beta2",
|
||||
"0.9.3",
|
||||
"0.9.3a",
|
||||
"0.9.4",
|
||||
"1.2.3z"};
|
||||
"0.9.3-dev",
|
||||
"0.9.3-beta1",
|
||||
"0.9.3-beta2",
|
||||
"0.9.3",
|
||||
"0.9.3a",
|
||||
"0.9.4",
|
||||
"1.2.3z"};
|
||||
assertEquals(constants.length, versions.length);
|
||||
for (int i = 0; i < constants.length; i++) {
|
||||
assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));
|
||||
|
||||
@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
|
||||
/**
|
||||
* Unit tests for PythonDistributionAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class PythonDistributionAnalyzerTest extends BaseTest {
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
|
||||
/**
|
||||
* Unit tests for PythonPackageAnalyzer.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class PythonPackageAnalyzerTest extends BaseTest {
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ import static org.junit.Assert.assertThat;
|
||||
/**
|
||||
* Unit tests for {@link RubyBundleAuditAnalyzer}.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class RubyBundleAuditAnalyzerTest extends BaseTest {
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
|
||||
/**
|
||||
* Unit tests for {@link RubyGemspecAnalyzer}.
|
||||
*
|
||||
* @author Dale Visser <dvisser@ida.org>
|
||||
* @author Dale Visser
|
||||
*/
|
||||
public class RubyGemspecAnalyzerTest extends BaseTest {
|
||||
|
||||
|
||||
@@ -17,47 +17,30 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.update.nvd;
|
||||
|
||||
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
|
||||
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
|
||||
import java.io.File;
|
||||
import java.util.concurrent.ExecutorService;
|
||||
import java.util.concurrent.Future;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public class DownloadTaskTest {
|
||||
public class DownloadTaskTest extends BaseTest {
|
||||
|
||||
public DownloadTaskTest() {
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
Settings.initialize();
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() {
|
||||
Settings.cleanup();
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of call method, of class DownloadTask.
|
||||
*/
|
||||
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
|
||||
Future<ProcessTask> result = instance.call();
|
||||
assertNull(result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of isXml(file).
|
||||
*/
|
||||
@Test
|
||||
public void testIsXML() {
|
||||
File f = getResourceAsFile(this, "nvdcve-modified.xml");
|
||||
assertTrue(DownloadTask.isXml(f));
|
||||
f = getResourceAsFile(this, "file.tar.gz");
|
||||
assertFalse(DownloadTask.isXml(f));
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-maven</artifactId>
|
||||
|
||||
@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
||||
public void runCheck() throws MojoExecutionException, MojoFailureException {
|
||||
final Engine engine = generateDataFile();
|
||||
|
||||
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
|
||||
//if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
|
||||
if (getProject() == getLastProject()) {
|
||||
|
||||
//ensure that the .ser file was created for each.
|
||||
for (MavenProject current : getReactorProjects()) {
|
||||
final File dataFile = getDataFile(current);
|
||||
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
|
||||
if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
|
||||
getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
|
||||
+ "the check but dependencies may be missed resulting in false negatives.", current.getName()));
|
||||
generateDataFile(engine, current);
|
||||
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
||||
Settings.cleanup();
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the last project in the reactor - taking into account skipped projects.
|
||||
*
|
||||
* @return the last projecct in the reactor
|
||||
*/
|
||||
private MavenProject getLastProject() {
|
||||
for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
|
||||
final MavenProject p = getReactorProjects().get(x);
|
||||
if (!skipProject(p)) {
|
||||
return p;
|
||||
}
|
||||
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests if the project is being skipped in the Maven site report.
|
||||
*
|
||||
* @param project a project in the reactor
|
||||
* @return true if the project is skipped; otherwise false
|
||||
*/
|
||||
private boolean skipProject(MavenProject project) {
|
||||
final String skip = (String) project.getProperties().get("maven.site.skip");
|
||||
return "true".equalsIgnoreCase(skip);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a set containing all the descendant projects of the given project.
|
||||
*
|
||||
|
||||
@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
@@ -49,6 +48,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.reporting.ReportGenerator;
|
||||
import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
|
||||
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
|
||||
@@ -667,6 +667,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
final String password = proxy.getPassword();
|
||||
Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
|
||||
Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
|
||||
Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
|
||||
}
|
||||
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
|
||||
@@ -1034,9 +1035,26 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
}
|
||||
List<Dependency> ret = null;
|
||||
final String path = (String) oPath;
|
||||
ObjectInputStream ois = null;
|
||||
//ObjectInputStream ois = null;
|
||||
ExpectedOjectInputStream ois = null;
|
||||
try {
|
||||
ois = new ObjectInputStream(new FileInputStream(path));
|
||||
//ois = new ObjectInputStream(new FileInputStream(path));
|
||||
ois = new ExpectedOjectInputStream(new FileInputStream(path),
|
||||
"java.util.ArrayList",
|
||||
"java.util.HashSet",
|
||||
"java.util.TreeSet",
|
||||
"java.lang.AbstractSet",
|
||||
"java.lang.AbstractCollection",
|
||||
"java.lang.Enum",
|
||||
"org.owasp.dependencycheck.dependency.Confidence",
|
||||
"org.owasp.dependencycheck.dependency.Dependency",
|
||||
"org.owasp.dependencycheck.dependency.Evidence",
|
||||
"org.owasp.dependencycheck.dependency.EvidenceCollection",
|
||||
"org.owasp.dependencycheck.dependency.Identifier",
|
||||
"org.owasp.dependencycheck.dependency.Reference",
|
||||
"org.owasp.dependencycheck.dependency.Vulnerability",
|
||||
"org.owasp.dependencycheck.dependency.VulnerabilityComparator",
|
||||
"org.owasp.dependencycheck.dependency.VulnerableSoftware");
|
||||
ret = (List<Dependency>) ois.readObject();
|
||||
} catch (FileNotFoundException ex) {
|
||||
//TODO fix logging
|
||||
|
||||
@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
|
||||
import org.slf4j.spi.LoggerFactoryBinder;
|
||||
|
||||
/**
|
||||
* The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
|
||||
* information returned by this class.
|
||||
* The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
|
||||
* returned by this class.
|
||||
*
|
||||
* @author colezlaw
|
||||
*/
|
||||
|
||||
@@ -3,7 +3,7 @@ Goals
|
||||
|
||||
Goal | Description
|
||||
------------|-----------------------
|
||||
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
|
||||
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
|
||||
check | Runs dependency-check against the project and generates a report.
|
||||
update-only | Updates the local cache of the NVD data from NIST.
|
||||
purge | Deletes the local copy of the NVD. This is used to force a refresh of the data.
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-utils</artifactId>
|
||||
@@ -139,6 +139,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<groupId>commons-io</groupId>
|
||||
<artifactId>commons-io</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-lang3</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>slf4j-api</artifactId>
|
||||
|
||||
@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
|
||||
import java.util.zip.InflaterInputStream;
|
||||
|
||||
import static java.lang.String.format;
|
||||
import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
|
||||
import static org.owasp.dependencycheck.utils.Settings.getBoolean;
|
||||
|
||||
/**
|
||||
* A utility to download files from the Internet.
|
||||
@@ -243,6 +241,16 @@ public final class Downloader {
|
||||
throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
|
||||
} catch (IOException ex) {
|
||||
analyzeException(ex);
|
||||
try {
|
||||
//retry
|
||||
if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
|
||||
Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
|
||||
return getLastModified(url);
|
||||
}
|
||||
} catch (InvalidSettingException ex1) {
|
||||
LOGGER.debug("invalid setting?", ex);
|
||||
}
|
||||
|
||||
throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
|
||||
} finally {
|
||||
if (conn != null) {
|
||||
@@ -300,7 +308,7 @@ public final class Downloader {
|
||||
boolean quickQuery;
|
||||
|
||||
try {
|
||||
quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
|
||||
quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
|
||||
} catch (InvalidSettingException e) {
|
||||
quickQuery = true;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,70 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2016 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.InvalidClassException;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ObjectStreamClass;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* An ObjectInputStream that will only deserialize expected classes.
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public class ExpectedOjectInputStream extends ObjectInputStream {
|
||||
|
||||
/**
|
||||
* The list of fully qualified class names that are able to be deserialized.
|
||||
*/
|
||||
private List<String> expected = new ArrayList<String>();
|
||||
|
||||
/**
|
||||
* Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
|
||||
* that can deserialized to a known set of expected classes.
|
||||
*
|
||||
* @param inputStream the input stream that contains the object to deserialize
|
||||
* @param expected the fully qualified class names of the classes that can be deserialized
|
||||
* @throws IOException thrown if there is an error reading from the stream
|
||||
*/
|
||||
public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
|
||||
super(inputStream);
|
||||
this.expected.addAll(Arrays.asList(expected));
|
||||
}
|
||||
|
||||
/**
|
||||
* Only deserialize instances of expected classes by validating the class name prior to deserialization.
|
||||
*
|
||||
* @param desc the class from the object stream to validate
|
||||
* @return the resolved class
|
||||
* @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
|
||||
* reading from the stream
|
||||
* @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
|
||||
*/
|
||||
@Override
|
||||
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
||||
if (!this.expected.contains(desc.getName())) {
|
||||
throw new InvalidClassException("Unexpected deserialization", desc.getName());
|
||||
}
|
||||
return super.resolveClass(desc);
|
||||
}
|
||||
}
|
||||
@@ -165,6 +165,10 @@ public final class Settings {
|
||||
* The properties key for the proxy password.
|
||||
*/
|
||||
public static final String PROXY_PASSWORD = "proxy.password";
|
||||
/**
|
||||
* The properties key for the non proxy hosts.
|
||||
*/
|
||||
public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
|
||||
/**
|
||||
* The properties key for the connection timeout.
|
||||
*/
|
||||
@@ -523,8 +527,8 @@ public final class Settings {
|
||||
|
||||
/**
|
||||
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
|
||||
* file.<br/><br/>
|
||||
* Note: even if using this method - system properties will be loaded before properties loaded from files.
|
||||
* file.<br><br>
|
||||
* <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
|
||||
*
|
||||
* @param filePath the path to the properties file to merge.
|
||||
* @throws FileNotFoundException is thrown when the filePath points to a non-existent file
|
||||
@@ -548,7 +552,7 @@ public final class Settings {
|
||||
|
||||
/**
|
||||
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
|
||||
* file.<br/><br/>
|
||||
* file.<br><br>
|
||||
* Note: even if using this method - system properties will be loaded before properties loaded from files.
|
||||
*
|
||||
* @param filePath the path to the properties file to merge.
|
||||
@@ -573,8 +577,8 @@ public final class Settings {
|
||||
|
||||
/**
|
||||
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
|
||||
* file.<br/><br/>
|
||||
* Note: even if using this method - system properties will be loaded before properties loaded from files.
|
||||
* file.<br><br>
|
||||
* <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
|
||||
*
|
||||
* @param stream an Input Stream pointing at a properties file to merge
|
||||
* @throws IOException is thrown when there is an exception loading/merging the properties
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.Authenticator;
|
||||
import java.net.HttpURLConnection;
|
||||
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
|
||||
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
|
||||
HttpURLConnection conn = null;
|
||||
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
|
||||
|
||||
try {
|
||||
if (proxyUrl != null) {
|
||||
if (proxyUrl != null && !matchNonProxy(url)) {
|
||||
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
|
||||
final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
|
||||
|
||||
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
|
||||
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
|
||||
|
||||
if (username != null && password != null) {
|
||||
final Authenticator auth = new Authenticator() {
|
||||
@Override
|
||||
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
|
||||
return conn;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if hostname matches nonProxy settings
|
||||
*
|
||||
* @param url the url to connect to
|
||||
* @return matching result. true: match nonProxy
|
||||
*/
|
||||
private static boolean matchNonProxy(final URL url) {
|
||||
final String host = url.getHost();
|
||||
|
||||
// code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
|
||||
final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
|
||||
if (null != nonProxyHosts) {
|
||||
final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
|
||||
for (final String nonProxyHost : nonProxies) {
|
||||
//if ( StringUtils.contains( nonProxyHost, "*" ) )
|
||||
if (null != nonProxyHost && nonProxyHost.contains("*")) {
|
||||
// Handle wildcard at the end, beginning or middle of the nonProxyHost
|
||||
final int pos = nonProxyHost.indexOf('*');
|
||||
final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
|
||||
final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
|
||||
// prefix*
|
||||
if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
|
||||
return true;
|
||||
}
|
||||
// *suffix
|
||||
if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
|
||||
return true;
|
||||
}
|
||||
// prefix*suffix
|
||||
if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
|
||||
&& host.endsWith(nonProxyHostSuffix)) {
|
||||
return true;
|
||||
}
|
||||
} else if (host.equals(nonProxyHost)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
|
||||
* configured but we don't want to use it (for example, if there's an internal repository configured)
|
||||
|
||||
@@ -0,0 +1,96 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2016 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author jeremy
|
||||
*/
|
||||
public class ExpectedOjectInputStreamTest {
|
||||
|
||||
public ExpectedOjectInputStreamTest() {
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of resolveClass method, of class ExpectedOjectInputStream.
|
||||
*/
|
||||
@Test
|
||||
public void testResolveClass() throws Exception {
|
||||
List<SimplePojo> data = new ArrayList<SimplePojo>();
|
||||
data.add(new SimplePojo());
|
||||
|
||||
ByteArrayOutputStream mem = new ByteArrayOutputStream();
|
||||
ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
|
||||
out.writeObject(data);
|
||||
out.flush();
|
||||
byte[] buf = mem.toByteArray();
|
||||
out.close();
|
||||
ByteArrayInputStream in = new ByteArrayInputStream(buf);
|
||||
|
||||
ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
|
||||
instance.readObject();
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of resolveClass method, of class ExpectedOjectInputStream.
|
||||
*/
|
||||
@Test(expected = java.io.InvalidClassException.class)
|
||||
public void testResolveClassException() throws Exception {
|
||||
List<SimplePojo> data = new ArrayList<SimplePojo>();
|
||||
data.add(new SimplePojo());
|
||||
|
||||
ByteArrayOutputStream mem = new ByteArrayOutputStream();
|
||||
ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
|
||||
out.writeObject(data);
|
||||
out.flush();
|
||||
byte[] buf = mem.toByteArray();
|
||||
out.close();
|
||||
ByteArrayInputStream in = new ByteArrayInputStream(buf);
|
||||
|
||||
ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
|
||||
instance.readObject();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
/*
|
||||
* Copyright 2016 OWASP.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.io.Serializable;
|
||||
|
||||
/**
|
||||
* Simple pojo used to test the ExpectedObjectInputStream.
|
||||
*
|
||||
* @author jeremy
|
||||
*/
|
||||
public class SimplePojo implements Serializable {
|
||||
|
||||
public String s = "3";
|
||||
public Integer i = 3;
|
||||
}
|
||||
12
pom.xml
12
pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.4</version>
|
||||
<version>1.3.5</version>
|
||||
<packaging>pom</packaging>
|
||||
|
||||
<modules>
|
||||
@@ -125,8 +125,8 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
|
||||
thus, we cannot upgrade beyond 4.7.2 -->
|
||||
<apache.lucene.version>4.7.2</apache.lucene.version>
|
||||
<slf4j.version>1.7.13</slf4j.version>
|
||||
<logback.version>1.1.3</logback.version>
|
||||
<slf4j.version>1.7.16</slf4j.version>
|
||||
<logback.version>1.1.5</logback.version>
|
||||
<reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
|
||||
<reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
|
||||
<reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
|
||||
@@ -175,7 +175,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<version>3.5.1</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
@@ -225,7 +225,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.4</version>
|
||||
<version>3.5</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.6</version>
|
||||
<version>1.7</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<configuration>
|
||||
|
||||
@@ -28,9 +28,10 @@
|
||||
<property name="allowLegacy" value="false"/>
|
||||
</module>
|
||||
|
||||
<module name="Translation">
|
||||
<!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
|
||||
<!--module name="Translation">
|
||||
<property name="severity" value="warning"/>
|
||||
</module>
|
||||
</module-->
|
||||
|
||||
<module name="FileTabCharacter">
|
||||
<property name="eachLine" value="false"/>
|
||||
|
||||
@@ -80,7 +80,7 @@ The full schema for suppression files can be found here: [suppression.xsd](https
|
||||
|
||||
Please see the appropriate configuration option in each interfaces configuration guide:
|
||||
|
||||
- [Command Line Tool](dependency-check-cli/arguments.html)
|
||||
- [Maven Plugin](dependency-check-maven/configuration.html)
|
||||
- [Ant Task](dependency-check-ant/configuration.html)
|
||||
- [Jenkins Plugin](dependency-check-jenkins/index.html)
|
||||
- [Command Line Tool](../dependency-check-cli/arguments.html)
|
||||
- [Maven Plugin](../dependency-check-maven/configuration.html)
|
||||
- [Ant Task](../dependency-check-ant/configuration.html)
|
||||
- [Jenkins Plugin](../dependency-check-jenkins/index.html)
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<skin>
|
||||
<groupId>org.apache.maven.skins</groupId>
|
||||
<artifactId>maven-fluido-skin</artifactId>
|
||||
<version>1.4</version>
|
||||
<version>1.5</version>
|
||||
</skin>
|
||||
<custom>
|
||||
<fluidoSkin>
|
||||
@@ -65,9 +65,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
|
||||
<body>
|
||||
<head>
|
||||
<style type="text/css">
|
||||
<![CDATA[<style type="text/css">
|
||||
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
|
||||
</style>
|
||||
</style>]]>
|
||||
</head>
|
||||
<breadcrumbs>
|
||||
<item name=" " href="#"/>
|
||||
|
||||
Reference in New Issue
Block a user