View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.util.HashSet;
23  import java.util.List;
24  import java.util.Set;
25  import org.apache.lucene.index.CorruptIndexException;
26  import org.apache.lucene.queryparser.classic.ParseException;
27  import org.junit.Assert;
28  import static org.junit.Assert.assertTrue;
29  import org.junit.Test;
30  import org.owasp.dependencycheck.BaseTest;
31  import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
32  import org.owasp.dependencycheck.data.cpe.IndexEntry;
33  import org.owasp.dependencycheck.dependency.Confidence;
34  import org.owasp.dependencycheck.dependency.Dependency;
35  import org.owasp.dependencycheck.dependency.Identifier;
36  
37  /**
38   *
39   * @author Jeremy Long
40   */
41  public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
42  
43      /**
44       * Tests of buildSearch of class CPEAnalyzer.
45       *
46       * @throws IOException is thrown when an IO Exception occurs.
47       * @throws CorruptIndexException is thrown when the index is corrupt.
48       * @throws ParseException is thrown when a parse exception occurs
49       */
50      @Test
51      public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
52          Set<String> productWeightings = new HashSet<String>(1);
53          productWeightings.add("struts2");
54  
55          Set<String> vendorWeightings = new HashSet<String>(1);
56          vendorWeightings.add("apache");
57  
58          String vendor = "apache software foundation";
59          String product = "struts 2 core";
60          String version = "2.1.2";
61          CPEAnalyzer instance = new CPEAnalyzer();
62  
63          String queryText = instance.buildSearch(vendor, product, null, null);
64          String expResult = " product:( struts 2 core )  AND  vendor:( apache software foundation ) ";
65          Assert.assertTrue(expResult.equals(queryText));
66  
67          queryText = instance.buildSearch(vendor, product, null, productWeightings);
68          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:( apache software foundation ) ";
69          Assert.assertTrue(expResult.equals(queryText));
70  
71          queryText = instance.buildSearch(vendor, product, vendorWeightings, null);
72          expResult = " product:( struts 2 core )  AND  vendor:(  apache^5 software foundation ) ";
73          Assert.assertTrue(expResult.equals(queryText));
74  
75          queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
76          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:(  apache^5 software foundation ) ";
77          Assert.assertTrue(expResult.equals(queryText));
78      }
79  
80      /**
81       * Test of determineCPE method, of class CPEAnalyzer.
82       *
83       * @throws Exception is thrown when an exception occurs
84       */
85      @Test
86      public void testDetermineCPE_full() throws Exception {
87          CPEAnalyzer instance = new CPEAnalyzer();
88          instance.open();
89          FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
90          JarAnalyzer jarAnalyzer = new JarAnalyzer();
91          HintAnalyzer hAnalyzer = new HintAnalyzer();
92          FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
93  
94          try {
95              //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
96              callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
97              callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
98              callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
99              callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
100             callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
101             callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
102         } finally {
103             instance.close();
104         }
105     }
106 
107     /**
108      * Test of determineCPE method, of class CPEAnalyzer.
109      *
110      * @throws Exception is thrown when an exception occurs
111      */
112     public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer instance, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
113 
114         //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
115         File file = BaseTest.getResourceAsFile(this, depName);
116 
117         Dependency dep = new Dependency(file);
118 
119         fnAnalyzer.analyze(dep, null);
120         jarAnalyzer.analyze(dep, null);
121         hAnalyzer.analyze(dep, null);
122         instance.analyze(dep, null);
123         fp.analyze(dep, null);
124 
125         if (expResult != null) {
126             Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
127             Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
128         } else {
129             for (Identifier i : dep.getIdentifiers()) {
130                 Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
131             }
132         }
133     }
134 
135     /**
136      * Test of determineCPE method, of class CPEAnalyzer.
137      *
138      * @throws Exception is thrown when an exception occurs
139      */
140     @Test
141     public void testDetermineCPE() throws Exception {
142         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
143         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
144         //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
145         Dependency struts = new Dependency(file);
146 
147         FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
148         fnAnalyzer.analyze(struts, null);
149 
150         HintAnalyzer hintAnalyzer = new HintAnalyzer();
151         JarAnalyzer jarAnalyzer = new JarAnalyzer();
152         jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
153 
154         jarAnalyzer.analyze(struts, null);
155         hintAnalyzer.analyze(struts, null);
156         //File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
157         File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
158         Dependency commonValidator = new Dependency(fileCommonValidator);
159         jarAnalyzer.analyze(commonValidator, null);
160         hintAnalyzer.analyze(commonValidator, null);
161 
162         //File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
163         File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
164         Dependency spring = new Dependency(fileSpring);
165         jarAnalyzer.analyze(spring, null);
166         hintAnalyzer.analyze(spring, null);
167 
168         //File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
169         File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
170         Dependency spring3 = new Dependency(fileSpring3);
171         jarAnalyzer.analyze(spring3, null);
172         hintAnalyzer.analyze(spring3, null);
173 
174         CPEAnalyzer instance = new CPEAnalyzer();
175         instance.open();
176         instance.determineCPE(commonValidator);
177         instance.determineCPE(struts);
178         instance.determineCPE(spring);
179         instance.determineCPE(spring3);
180         instance.close();
181 
182         String expResult = "cpe:/a:apache:struts:2.1.2";
183         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
184         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
185         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
186 
187         for (Identifier i : commonValidator.getIdentifiers()) {
188             Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
189         }
190 
191         Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
192         Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
193         Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
194 
195         //the following two only work if the HintAnalyzer is used.
196         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
197         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
198         jarAnalyzer.close();
199     }
200 
201     /**
202      * Test of determineIdentifiers method, of class CPEAnalyzer.
203      *
204      * @throws Exception is thrown when an exception occurs
205      */
206     @Test
207     public void testDetermineIdentifiers() throws Exception {
208         Dependency openssl = new Dependency();
209         openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
210         openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
211         openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
212 
213         CPEAnalyzer instance = new CPEAnalyzer();
214         instance.open();
215         instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
216         instance.close();
217 
218         String expResult = "cpe:/a:openssl:openssl:1.0.1c";
219         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
220 
221         assertTrue(openssl.getIdentifiers().contains(expIdentifier));
222 
223     }
224 
225     /**
226      * Test of searchCPE method, of class CPEAnalyzer.
227      *
228      * @throws Exception is thrown when an exception occurs
229      */
230     @Test
231     public void testSearchCPE() throws Exception {
232         String vendor = "apache software foundation";
233         String product = "struts 2 core";
234         String version = "2.1.2";
235         String expVendor = "apache";
236         String expProduct = "struts";
237 
238         CPEAnalyzer instance = new CPEAnalyzer();
239         instance.open();
240 
241         Set<String> productWeightings = new HashSet<String>(1);
242         productWeightings.add("struts2");
243 
244         Set<String> vendorWeightings = new HashSet<String>(1);
245         vendorWeightings.add("apache");
246 
247         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
248         instance.close();
249 
250         boolean found = false;
251         for (IndexEntry entry : result) {
252             if (expVendor.equals(entry.getVendor()) && expProduct.equals(entry.getProduct())) {
253                 found = true;
254                 break;
255             }
256         }
257         assertTrue("apache:struts was not identified", found);
258 
259     }
260 }