View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.util.Collections;
23  import java.util.List;
24  import java.util.Set;
25  import org.apache.lucene.index.CorruptIndexException;
26  import org.apache.lucene.queryparser.classic.ParseException;
27  import org.junit.Assert;
28  import static org.junit.Assert.assertTrue;
29  import org.junit.Test;
30  import org.owasp.dependencycheck.BaseTest;
31  import org.owasp.dependencycheck.BaseDBTestCase;
32  import org.owasp.dependencycheck.Engine;
33  import org.owasp.dependencycheck.data.cpe.IndexEntry;
34  import org.owasp.dependencycheck.dependency.Confidence;
35  import org.owasp.dependencycheck.dependency.Dependency;
36  import org.owasp.dependencycheck.dependency.Identifier;
37  
38  /**
39   *
40   * @author Jeremy Long
41   */
42  public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
43  
44      /**
45       * Tests of buildSearch of class CPEAnalyzer.
46       *
47       * @throws IOException is thrown when an IO Exception occurs.
48       * @throws CorruptIndexException is thrown when the index is corrupt.
49       * @throws ParseException is thrown when a parse exception occurs
50       */
51      @Test
52      public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
53          Set<String> productWeightings = Collections.singleton("struts2");
54  
55          Set<String> vendorWeightings = Collections.singleton("apache");
56  
57          String vendor = "apache software foundation";
58          String product = "struts 2 core";
59          String version = "2.1.2";
60          CPEAnalyzer instance = new CPEAnalyzer();
61  
62          String queryText = instance.buildSearch(vendor, product, null, null);
63          String expResult = " product:( struts 2 core )  AND  vendor:( apache software foundation ) ";
64          Assert.assertTrue(expResult.equals(queryText));
65  
66          queryText = instance.buildSearch(vendor, product, null, productWeightings);
67          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:( apache software foundation ) ";
68          Assert.assertTrue(expResult.equals(queryText));
69  
70          queryText = instance.buildSearch(vendor, product, vendorWeightings, null);
71          expResult = " product:( struts 2 core )  AND  vendor:(  apache^5 software foundation ) ";
72          Assert.assertTrue(expResult.equals(queryText));
73  
74          queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
75          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:(  apache^5 software foundation ) ";
76          Assert.assertTrue(expResult.equals(queryText));
77      }
78  
79      /**
80       * Test of determineCPE method, of class CPEAnalyzer.
81       *
82       * @throws Exception is thrown when an exception occurs
83       */
84      @Test
85      public void testDetermineCPE_full() throws Exception {
86          //update needs to be performed so that xtream can be tested
87          Engine e = new Engine();
88          e.doUpdates();
89  
90          CPEAnalyzer cpeAnalyzer = new CPEAnalyzer();
91          try {
92              cpeAnalyzer.initialize();
93              FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
94              fnAnalyzer.initialize();
95              JarAnalyzer jarAnalyzer = new JarAnalyzer();
96              jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
97              jarAnalyzer.initialize();
98              HintAnalyzer hAnalyzer = new HintAnalyzer();
99              hAnalyzer.initialize();
100             FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
101             fp.initialize();
102 
103             callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
104             callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
105             callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
106             callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
107             callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
108             callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
109             callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
110 
111         } finally {
112             cpeAnalyzer.close();
113         }
114     }
115 
116     /**
117      * Test of determineCPE method, of class CPEAnalyzer.
118      *
119      * @throws Exception is thrown when an exception occurs
120      */
121     public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
122 
123         //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
124         File file = BaseTest.getResourceAsFile(this, depName);
125 
126         Dependency dep = new Dependency(file);
127 
128         fnAnalyzer.analyze(dep, null);
129         jarAnalyzer.analyze(dep, null);
130         hAnalyzer.analyze(dep, null);
131         cpeAnalyzer.analyze(dep, null);
132         fp.analyze(dep, null);
133 
134         if (expResult != null) {
135             Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
136             Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
137         } else {
138             for (Identifier i : dep.getIdentifiers()) {
139                 Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
140             }
141         }
142     }
143 
144     /**
145      * Test of determineCPE method, of class CPEAnalyzer.
146      *
147      * @throws Exception is thrown when an exception occurs
148      */
149     @Test
150     public void testDetermineCPE() throws Exception {
151         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
152         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
153         //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
154         Dependency struts = new Dependency(file);
155 
156         FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
157         fnAnalyzer.analyze(struts, null);
158 
159         HintAnalyzer hintAnalyzer = new HintAnalyzer();
160         hintAnalyzer.initialize();
161         JarAnalyzer jarAnalyzer = new JarAnalyzer();
162         jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
163         jarAnalyzer.initialize();
164 
165         jarAnalyzer.analyze(struts, null);
166         hintAnalyzer.analyze(struts, null);
167         //File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
168         File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
169         Dependency commonValidator = new Dependency(fileCommonValidator);
170         jarAnalyzer.analyze(commonValidator, null);
171         hintAnalyzer.analyze(commonValidator, null);
172 
173         //File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
174         File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
175         Dependency spring = new Dependency(fileSpring);
176         jarAnalyzer.analyze(spring, null);
177         hintAnalyzer.analyze(spring, null);
178 
179         //File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
180         File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
181         Dependency spring3 = new Dependency(fileSpring3);
182         jarAnalyzer.analyze(spring3, null);
183         hintAnalyzer.analyze(spring3, null);
184 
185         CPEAnalyzer instance = new CPEAnalyzer();
186         instance.open();
187         instance.determineCPE(commonValidator);
188         instance.determineCPE(struts);
189         instance.determineCPE(spring);
190         instance.determineCPE(spring3);
191         instance.close();
192                 
193 
194         String expResult = "cpe:/a:apache:struts:2.1.2";
195         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
196         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
197         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
198 
199         for (Identifier i : commonValidator.getIdentifiers()) {
200             Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
201         }
202 
203         Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
204         Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
205         Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
206 
207         //the following two only work if the HintAnalyzer is used.
208         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
209         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
210         jarAnalyzer.close();
211     }
212 
213     /**
214      * Test of determineIdentifiers method, of class CPEAnalyzer.
215      *
216      * @throws Exception is thrown when an exception occurs
217      */
218     @Test
219     public void testDetermineIdentifiers() throws Exception {
220         Dependency openssl = new Dependency();
221         openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
222         openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
223         openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
224 
225         CPEAnalyzer instance = new CPEAnalyzer();
226         instance.open();
227         instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
228         instance.close();
229 
230         String expResult = "cpe:/a:openssl:openssl:1.0.1c";
231         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
232 
233         assertTrue(openssl.getIdentifiers().contains(expIdentifier));
234 
235     }
236 
237     /**
238      * Test of searchCPE method, of class CPEAnalyzer.
239      *
240      * @throws Exception is thrown when an exception occurs
241      */
242     @Test
243     public void testSearchCPE() throws Exception {
244         String vendor = "apache software foundation";
245         String product = "struts 2 core";
246         String version = "2.1.2";
247         String expVendor = "apache";
248         String expProduct = "struts";
249 
250         CPEAnalyzer instance = new CPEAnalyzer();
251         instance.open();
252 
253         Set<String> productWeightings = Collections.singleton("struts2");
254 
255         Set<String> vendorWeightings = Collections.singleton("apache");
256 
257         List<IndexEntry> result = instance.searchCPE(vendor, product, vendorWeightings, productWeightings);
258         instance.close();
259 
260         boolean found = false;
261         for (IndexEntry entry : result) {
262             if (expVendor.equals(entry.getVendor()) && expProduct.equals(entry.getProduct())) {
263                 found = true;
264                 break;
265             }
266         }
267         assertTrue("apache:struts was not identified", found);
268 
269     }
270 }