View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  import static org.junit.Assert.assertEquals;
22  import static org.junit.Assert.assertTrue;
23  import org.junit.Test;
24  import org.owasp.dependencycheck.BaseDBTestCase;
25  import org.owasp.dependencycheck.BaseTest;
26  import org.owasp.dependencycheck.Engine;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.utils.Settings;
29  
30  /**
31   * Testing the vulnerability suppression analyzer.
32   *
33   * @author Jeremy Long
34   */
35  public class VulnerabilitySuppressionAnalyzerIntegrationTest extends BaseDBTestCase {
36  
37      /**
38       * Test of getName method, of class VulnerabilitySuppressionAnalyzer.
39       */
40      @Test
41      public void testGetName() {
42          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
43          String expResult = "Vulnerability Suppression Analyzer";
44          String result = instance.getName();
45          assertEquals(expResult, result);
46      }
47  
48      /**
49       * Test of getAnalysisPhase method, of class VulnerabilitySuppressionAnalyzer.
50       */
51      @Test
52      public void testGetAnalysisPhase() {
53          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
54          AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
55          AnalysisPhase result = instance.getAnalysisPhase();
56          assertEquals(expResult, result);
57      }
58  
59      /**
60       * Test of analyze method, of class VulnerabilitySuppressionAnalyzer.
61       */
62      @Test
63      public void testAnalyze() throws Exception {
64  
65          //File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
66          File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
67          //File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
68          File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
69          Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
70          Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
71          Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
72          Engine engine = new Engine();
73          engine.scan(file);
74          engine.analyzeDependencies();
75          Dependency dependency = getDependency(engine, file);
76          int cveSize = dependency.getVulnerabilities().size();
77          int cpeSize = dependency.getIdentifiers().size();
78          assertTrue(cveSize > 0);
79          assertTrue(cpeSize > 0);
80          Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
81          VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
82          instance.initialize();
83          instance.analyze(dependency, engine);
84          cveSize = cveSize > 1 ? cveSize - 2 : 0;
85          cpeSize = cpeSize > 0 ? cpeSize - 1 : 0;
86          assertTrue(dependency.getVulnerabilities().size() == cveSize);
87          assertTrue(dependency.getIdentifiers().size() == cpeSize);
88          engine.cleanup();
89      }
90  
91      /**
92       * Retrieves a specific dependency from the engine.
93       *
94       * @param engine the engine
95       * @param file the dependency to retrieve
96       * @return the dependency
97       */
98      private Dependency getDependency(Engine engine, File file) {
99          for (Dependency d : engine.getDependencies()) {
100             if (d.getFileName().equals(file.getName())) {
101                 return d;
102             }
103         }
104         return null;
105     }
106 }