View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  import org.junit.After;
22  import static org.junit.Assert.assertEquals;
23  import static org.junit.Assert.assertTrue;
24  import static org.junit.Assert.fail;
25  import org.junit.Assume;
26  import static org.junit.Assume.assumeFalse;
27  import static org.junit.Assume.assumeNotNull;
28  import org.junit.Before;
29  import org.junit.Test;
30  import org.owasp.dependencycheck.BaseTest;
31  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
32  import org.owasp.dependencycheck.dependency.Confidence;
33  import org.owasp.dependencycheck.dependency.Dependency;
34  import org.owasp.dependencycheck.dependency.Evidence;
35  import org.owasp.dependencycheck.exception.InitializationException;
36  import org.owasp.dependencycheck.utils.Settings;
37  import org.slf4j.Logger;
38  import org.slf4j.LoggerFactory;
39  
40  /**
41   * Tests for the AssemblyAnalyzer.
42   *
43   * @author colezlaw
44   *
45   */
46  public class AssemblyAnalyzerTest extends BaseTest {
47  
48      private static final Logger LOGGER = LoggerFactory.getLogger(AssemblyAnalyzerTest.class);
49  
50      private static final String LOG_KEY = "org.slf4j.simpleLogger.org.owasp.dependencycheck.analyzer.AssemblyAnalyzer";
51  
52      AssemblyAnalyzer analyzer;
53  
54      /**
55       * Sets up the analyzer.
56       *
57       * @throws Exception if anything goes sideways
58       */
59      @Before
60      public void setUp() throws Exception {
61          try {
62              analyzer = new AssemblyAnalyzer();
63              analyzer.accept(new File("test.dll")); // trick into "thinking it is active"
64              analyzer.initialize();
65              Assume.assumeTrue("Mono is not installed, skipping tests.", analyzer.buildArgumentList() == null);
66          } catch (Exception e) {
67              if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
68                  LOGGER.warn("Exception setting up AssemblyAnalyzer. Tests will be incomplete");
69              } else {
70                  LOGGER.warn("Exception setting up AssemblyAnalyzer. Tests will be incomplete");
71              }
72              Assume.assumeNoException("Is mono installed? TESTS WILL BE INCOMPLETE", e);
73          }
74      }
75  
76      /**
77       * Tests to make sure the name is correct.
78       */
79      @Test
80      public void testGetName() {
81          assertEquals("Assembly Analyzer", analyzer.getName());
82      }
83  
84      @Test
85      public void testAnalysis() throws Exception {
86          assumeNotNull(analyzer.buildArgumentList());
87          File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe");
88          Dependency d = new Dependency(f);
89          analyzer.analyze(d, null);
90          boolean foundVendor = false;
91          for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) {
92              if ("OWASP".equals(e.getValue())) {
93                  foundVendor = true;
94              }
95          }
96          assertTrue(foundVendor);
97  
98          boolean foundProduct = false;
99          for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) {
100             if ("GrokAssembly".equals(e.getValue())) {
101                 foundProduct = true;
102             }
103         }
104         assertTrue(foundProduct);
105     }
106 
107     @Test
108     public void testLog4Net() throws Exception {
109         assumeNotNull(analyzer.buildArgumentList());
110         File f = BaseTest.getResourceAsFile(this, "log4net.dll");
111 
112         Dependency d = new Dependency(f);
113         analyzer.analyze(d, null);
114         assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
115         assertTrue(d.getVendorEvidence().getEvidence().contains(new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH)));
116         assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH)));
117     }
118 
119     @Test
120     public void testNonexistent() {
121         assumeNotNull(analyzer.buildArgumentList());
122 
123         // Tweak the log level so the warning doesn't show in the console
124         String oldProp = System.getProperty(LOG_KEY, "info");
125         File f = BaseTest.getResourceAsFile(this, "log4net.dll");
126         File test = new File(f.getParent(), "nonexistent.dll");
127         Dependency d = new Dependency(test);
128 
129         try {
130             analyzer.analyze(d, null);
131             fail("Expected an AnalysisException");
132         } catch (AnalysisException ae) {
133             assertEquals("File does not exist", ae.getMessage());
134         } finally {
135             System.setProperty(LOG_KEY, oldProp);
136         }
137     }
138 
139     @Test
140     public void testWithSettingMono() throws Exception {
141 
142         //This test doesn't work on Windows.
143         assumeFalse(System.getProperty("os.name").startsWith("Windows"));
144 
145         String oldValue = Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
146         // if oldValue is null, that means that neither the system property nor the setting has
147         // been set. If that's the case, then we have to make it such that when we recover,
148         // null still comes back. But you can't put a null value in a HashMap, so we have to set
149         // the system property rather than the setting.
150         if (oldValue == null) {
151             System.setProperty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
152         } else {
153             Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
154         }
155 
156         String oldProp = System.getProperty(LOG_KEY, "info");
157         try {
158             // Tweak the logging to swallow the warning when testing
159             System.setProperty(LOG_KEY, "error");
160             // Have to make a NEW analyzer because during setUp, it would have gotten the correct one
161             AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
162             aanalyzer.accept(new File("test.dll")); // trick into "thinking it is active"
163             aanalyzer.initialize();
164             fail("Expected an InitializationException");
165         } catch (InitializationException ae) {
166             assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
167         } finally {
168             System.setProperty(LOG_KEY, oldProp);
169             // Recover the logger
170             // Now recover the way we came in. If we had to set a System property, delete it. Otherwise,
171             // reset the old value
172             if (oldValue == null) {
173                 System.getProperties().remove(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
174             } else {
175                 Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, oldValue);
176             }
177         }
178     }
179 
180     @After
181     public void tearDown() throws Exception {
182         analyzer.close();
183     }
184 }