View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.xml.suppression;
19  
20  import java.io.File;
21  import java.util.ArrayList;
22  import java.util.List;
23  import static org.junit.Assert.assertEquals;
24  import static org.junit.Assert.assertFalse;
25  import static org.junit.Assert.assertTrue;
26  import org.junit.Test;
27  import org.owasp.dependencycheck.BaseTest;
28  import org.owasp.dependencycheck.dependency.Dependency;
29  import org.owasp.dependencycheck.dependency.Identifier;
30  import org.owasp.dependencycheck.dependency.Vulnerability;
31  
32  /**
33   * Test of the suppression rule.
34   *
35   * @author Jeremy Long
36   */
37  public class SuppressionRuleTest extends BaseTest {
38  
39      //<editor-fold defaultstate="collapsed" desc="Stupid tests of properties">
40      /**
41       * Test of FilePath property, of class SuppressionRule.
42       */
43      @Test
44      public void testFilePath() {
45          SuppressionRule instance = new SuppressionRule();
46          PropertyType expResult = new PropertyType();
47          expResult.setValue("test");
48          instance.setFilePath(expResult);
49          PropertyType result = instance.getFilePath();
50          assertEquals(expResult, result);
51      }
52  
53      /**
54       * Test of Sha1 property, of class SuppressionRule.
55       */
56      @Test
57      public void testSha1() {
58          SuppressionRule instance = new SuppressionRule();
59          String expResult = "384FAA82E193D4E4B0546059CA09572654BC3970";
60          instance.setSha1(expResult);
61          String result = instance.getSha1();
62          assertEquals(expResult, result);
63      }
64  
65      /**
66       * Test of Cpe property, of class SuppressionRule.
67       */
68      @Test
69      public void testCpe() {
70          SuppressionRule instance = new SuppressionRule();
71          List<PropertyType> cpe = new ArrayList<PropertyType>();
72          instance.setCpe(cpe);
73          assertFalse(instance.hasCpe());
74          PropertyType pt = new PropertyType();
75          pt.setValue("one");
76          instance.addCpe(pt);
77          assertTrue(instance.hasCpe());
78          List<PropertyType> result = instance.getCpe();
79          assertEquals(cpe, result);
80  
81      }
82  
83      /**
84       * Test of CvssBelow property, of class SuppressionRule.
85       */
86      @Test
87      public void testGetCvssBelow() {
88          SuppressionRule instance = new SuppressionRule();
89          List<Float> cvss = new ArrayList<Float>();
90          instance.setCvssBelow(cvss);
91          assertFalse(instance.hasCvssBelow());
92          instance.addCvssBelow(0.7f);
93          assertTrue(instance.hasCvssBelow());
94          List<Float> result = instance.getCvssBelow();
95          assertEquals(cvss, result);
96      }
97  
98      /**
99       * Test of Cwe property, of class SuppressionRule.
100      */
101     @Test
102     public void testCwe() {
103         SuppressionRule instance = new SuppressionRule();
104         List<String> cwe = new ArrayList<String>();
105         instance.setCwe(cwe);
106         assertFalse(instance.hasCwe());
107         instance.addCwe("2");
108         assertTrue(instance.hasCwe());
109         List<String> result = instance.getCwe();
110         assertEquals(cwe, result);
111     }
112 
113     /**
114      * Test of Cve property, of class SuppressionRule.
115      */
116     @Test
117     public void testCve() {
118         SuppressionRule instance = new SuppressionRule();
119         List<String> cve = new ArrayList<String>();
120         instance.setCve(cve);
121         assertFalse(instance.hasCve());
122         instance.addCve("CVE-2013-1337");
123         assertTrue(instance.hasCve());
124         List<String> result = instance.getCve();
125         assertEquals(cve, result);
126     }
127 
128     /**
129      * Test of base property, of class SuppressionRule.
130      */
131     @Test
132     public void testBase() {
133         SuppressionRule instance = new SuppressionRule();
134         assertFalse(instance.isBase());
135         instance.setBase(true);
136         assertTrue(instance.isBase());
137     }
138     //</editor-fold>
139 
140     //<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them">
141     /**
142      * Test of getFilePath method, of class SuppressionRule.
143      */
144     @Test
145     public void testGetFilePath() {
146         //already tested, this is just left so the IDE doesn't recreate it.
147     }
148 
149     /**
150      * Test of setFilePath method, of class SuppressionRule.
151      */
152     @Test
153     public void testSetFilePath() {
154         //already tested, this is just left so the IDE doesn't recreate it.
155     }
156 
157     /**
158      * Test of getSha1 method, of class SuppressionRule.
159      */
160     @Test
161     public void testGetSha1() {
162         //already tested, this is just left so the IDE doesn't recreate it.
163     }
164 
165     /**
166      * Test of setSha1 method, of class SuppressionRule.
167      */
168     @Test
169     public void testSetSha1() {
170         //already tested, this is just left so the IDE doesn't recreate it.
171     }
172 
173     /**
174      * Test of getCpe method, of class SuppressionRule.
175      */
176     @Test
177     public void testGetCpe() {
178         //already tested, this is just left so the IDE doesn't recreate it.
179     }
180 
181     /**
182      * Test of setCpe method, of class SuppressionRule.
183      */
184     @Test
185     public void testSetCpe() {
186         //already tested, this is just left so the IDE doesn't recreate it.
187     }
188 
189     /**
190      * Test of addCpe method, of class SuppressionRule.
191      */
192     @Test
193     public void testAddCpe() {
194         //already tested, this is just left so the IDE doesn't recreate it.
195     }
196 
197     /**
198      * Test of hasCpe method, of class SuppressionRule.
199      */
200     @Test
201     public void testHasCpe() {
202         //already tested, this is just left so the IDE doesn't recreate it.
203     }
204 
205     /**
206      * Test of setCvssBelow method, of class SuppressionRule.
207      */
208     @Test
209     public void testSetCvssBelow() {
210         //already tested, this is just left so the IDE doesn't recreate it.
211     }
212 
213     /**
214      * Test of addCvssBelow method, of class SuppressionRule.
215      */
216     @Test
217     public void testAddCvssBelow() {
218         //already tested, this is just left so the IDE doesn't recreate it.
219     }
220 
221     /**
222      * Test of hasCvssBelow method, of class SuppressionRule.
223      */
224     @Test
225     public void testHasCvssBelow() {
226         //already tested, this is just left so the IDE doesn't recreate it.
227     }
228 
229     /**
230      * Test of getCwe method, of class SuppressionRule.
231      */
232     @Test
233     public void testGetCwe() {
234         //already tested, this is just left so the IDE doesn't recreate it.
235     }
236 
237     /**
238      * Test of setCwe method, of class SuppressionRule.
239      */
240     @Test
241     public void testSetCwe() {
242         //already tested, this is just left so the IDE doesn't recreate it.
243     }
244 
245     /**
246      * Test of addCwe method, of class SuppressionRule.
247      */
248     @Test
249     public void testAddCwe() {
250         //already tested, this is just left so the IDE doesn't recreate it.
251     }
252 
253     /**
254      * Test of hasCwe method, of class SuppressionRule.
255      */
256     @Test
257     public void testHasCwe() {
258         //already tested, this is just left so the IDE doesn't recreate it.
259     }
260 
261     /**
262      * Test of getCve method, of class SuppressionRule.
263      */
264     @Test
265     public void testGetCve() {
266         //already tested, this is just left so the IDE doesn't recreate it.
267     }
268 
269     /**
270      * Test of setCve method, of class SuppressionRule.
271      */
272     @Test
273     public void testSetCve() {
274         //already tested, this is just left so the IDE doesn't recreate it.
275     }
276 
277     /**
278      * Test of addCve method, of class SuppressionRule.
279      */
280     @Test
281     public void testAddCve() {
282         //already tested, this is just left so the IDE doesn't recreate it.
283     }
284 
285     /**
286      * Test of hasCve method, of class SuppressionRule.
287      */
288     @Test
289     public void testHasCve() {
290         //already tested, this is just left so the IDE doesn't recreate it.
291     }
292     //</editor-fold>
293 
294     /**
295      * Test of cpeHasNoVersion method, of class SuppressionRule.
296      */
297     @Test
298     public void testCpeHasNoVersion() {
299         PropertyType c = new PropertyType();
300         c.setValue("cpe:/a:microsoft:.net_framework:4.5");
301         SuppressionRule instance = new SuppressionRule();
302         assertFalse(instance.cpeHasNoVersion(c));
303         c.setValue("cpe:/a:microsoft:.net_framework:");
304         assertFalse(instance.cpeHasNoVersion(c));
305         c.setValue("cpe:/a:microsoft:.net_framework");
306         assertTrue(instance.cpeHasNoVersion(c));
307     }
308 
309     /**
310      * Test of identifierMatches method, of class SuppressionRule.
311      */
312     @Test
313     public void testCpeMatches() {
314         Identifier identifier = new Identifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
315 
316         PropertyType cpe = new PropertyType();
317         cpe.setValue("cpe:/a:microsoft:.net_framework:4.5");
318 
319         SuppressionRule instance = new SuppressionRule();
320         boolean expResult = true;
321         boolean result = instance.identifierMatches("cpe", cpe, identifier);
322         assertEquals(expResult, result);
323 
324         cpe.setValue("cpe:/a:microsoft:.net_framework:4.0");
325         expResult = false;
326         result = instance.identifierMatches("cpe", cpe, identifier);
327         assertEquals(expResult, result);
328 
329         cpe.setValue("CPE:/a:microsoft:.net_framework:4.5");
330         cpe.setCaseSensitive(true);
331         expResult = false;
332         result = instance.identifierMatches("cpe", cpe, identifier);
333         assertEquals(expResult, result);
334 
335         cpe.setValue("cpe:/a:microsoft:.net_framework");
336         cpe.setCaseSensitive(false);
337         expResult = true;
338         result = instance.identifierMatches("cpe", cpe, identifier);
339         assertEquals(expResult, result);
340 
341         cpe.setValue("cpe:/a:microsoft:.*");
342         cpe.setRegex(true);
343         expResult = true;
344         result = instance.identifierMatches("cpe", cpe, identifier);
345         assertEquals(expResult, result);
346 
347         cpe.setValue("CPE:/a:microsoft:.*");
348         cpe.setRegex(true);
349         cpe.setCaseSensitive(true);
350         expResult = false;
351         result = instance.identifierMatches("cpe", cpe, identifier);
352         assertEquals(expResult, result);
353 
354         cpe.setValue("cpe:/a:apache:.*");
355         cpe.setRegex(true);
356         cpe.setCaseSensitive(false);
357         expResult = false;
358         result = instance.identifierMatches("cpe", cpe, identifier);
359         assertEquals(expResult, result);
360 
361         identifier = new Identifier("maven", "org.springframework:spring-core:2.5.5", "https://repository.sonatype.org/service/local/artifact/maven/redirect?r=central-proxy&g=org.springframework&a=spring-core&v=2.5.5&e=jar");
362         cpe.setValue("org.springframework:spring-core:2.5.5");
363         cpe.setRegex(false);
364         cpe.setCaseSensitive(false);
365         expResult = true;
366         result = instance.identifierMatches("maven", cpe, identifier);
367         assertEquals(expResult, result);
368 
369         cpe.setValue("org\\.springframework\\.security:spring.*");
370         cpe.setRegex(true);
371         cpe.setCaseSensitive(false);
372         expResult = false;
373         result = instance.identifierMatches("maven", cpe, identifier);
374         assertEquals(expResult, result);
375     }
376 
377     /**
378      * Test of process method, of class SuppressionRule.
379      */
380     @Test
381     public void testProcess() {
382         //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
383         File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
384         Dependency dependency = new Dependency(struts);
385         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
386         String sha1 = dependency.getSha1sum();
387         dependency.setSha1sum("384FAA82E193D4E4B0546059CA09572654BC3970");
388         Vulnerability v = createVulnerability();
389         dependency.addVulnerability(v);
390 
391         //cwe
392         SuppressionRule instance = new SuppressionRule();
393         instance.setSha1(sha1);
394         instance.addCwe("287");
395         instance.process(dependency);
396         assertEquals(1, dependency.getVulnerabilities().size());
397         dependency.setSha1sum(sha1);
398         instance.process(dependency);
399         assertTrue(dependency.getVulnerabilities().isEmpty());
400         assertEquals(1, dependency.getSuppressedVulnerabilities().size());
401 
402         //cvss
403         dependency.addVulnerability(v);
404         instance = new SuppressionRule();
405         instance.addCvssBelow(5f);
406         instance.process(dependency);
407         assertEquals(1, dependency.getVulnerabilities().size());
408         instance.addCvssBelow(8f);
409         instance.process(dependency);
410         assertTrue(dependency.getVulnerabilities().isEmpty());
411         assertEquals(1, dependency.getSuppressedVulnerabilities().size());
412 
413         //cve
414         dependency.addVulnerability(v);
415         instance = new SuppressionRule();
416         instance.addCve("CVE-2012-1337");
417         instance.process(dependency);
418         assertEquals(1, dependency.getVulnerabilities().size());
419         instance.addCve("CVE-2013-1337");
420         instance.process(dependency);
421         assertTrue(dependency.getVulnerabilities().isEmpty());
422         assertEquals(1, dependency.getSuppressedVulnerabilities().size());
423 
424         //cpe
425         instance = new SuppressionRule();
426         PropertyType pt = new PropertyType();
427         pt.setValue("cpe:/a:microsoft:.net_framework:4.0");
428         instance.addCpe(pt);
429         instance.process(dependency);
430         assertTrue(dependency.getIdentifiers().size() == 1);
431         pt = new PropertyType();
432         pt.setValue("cpe:/a:microsoft:.net_framework:4.5");
433         instance.addCpe(pt);
434         pt = new PropertyType();
435         pt.setValue(".*");
436         pt.setRegex(true);
437         instance.setFilePath(pt);
438         instance.process(dependency);
439         assertTrue(dependency.getIdentifiers().isEmpty());
440         assertEquals(1, dependency.getSuppressedIdentifiers().size());
441 
442         instance = new SuppressionRule();
443         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
444         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
445         dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
446         pt = new PropertyType();
447         pt.setValue("cpe:/a:microsoft:.net_framework");
448         instance.addCpe(pt);
449         instance.setBase(true);
450         assertEquals(3, dependency.getIdentifiers().size());
451         assertEquals(1, dependency.getSuppressedIdentifiers().size());
452         instance.process(dependency);
453         assertTrue(dependency.getIdentifiers().isEmpty());
454         assertEquals(1, dependency.getSuppressedIdentifiers().size());
455     }
456 
457     /**
458      * Test of process method, of class SuppressionRule.
459      */
460     @Test
461     public void testProcessGAV() {
462         //File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
463         File spring = BaseTest.getResourceAsFile(this, "spring-security-web-3.0.0.RELEASE.jar");
464         Dependency dependency = new Dependency(spring);
465         dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_framework:3.0.0", "some url not needed for this test");
466         dependency.addIdentifier("cpe", "cpe:/a:springsource:spring_framework:3.0.0", "some url not needed for this test");
467         dependency.addIdentifier("cpe", "cpe:/a:mod_security:mod_security:3.0.0", "some url not needed for this test");
468         dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_security:3.0.0", "some url not needed for this test");
469         dependency.addIdentifier("maven", "org.springframework.security:spring-security-web:3.0.0.RELEASE", "some url not needed for this test");
470 
471         //cpe
472         SuppressionRule instance = new SuppressionRule();
473         PropertyType pt = new PropertyType();
474 
475         pt.setValue("org\\.springframework\\.security:spring.*");
476         pt.setRegex(true);
477         pt.setCaseSensitive(false);
478         instance.setGav(pt);
479 
480         pt = new PropertyType();
481         pt.setValue("cpe:/a:mod_security:mod_security");
482         instance.addCpe(pt);
483         pt = new PropertyType();
484         pt.setValue("cpe:/a:springsource:spring_framework");
485         instance.addCpe(pt);
486         pt = new PropertyType();
487         pt.setValue("cpe:/a:vmware:springsource_spring_framework");
488         instance.addCpe(pt);
489 
490         instance.process(dependency);
491         assertEquals(2, dependency.getIdentifiers().size());
492 
493     }
494 
495     private Vulnerability createVulnerability() {
496         Vulnerability v = new Vulnerability();
497         v.setCwe("CWE-287 Improper Authentication");
498         v.setName("CVE-2013-1337");
499         v.setCvssScore(7.5f);
500         return v;
501     }
502 }