View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.nvdcve;
19  
20  import java.util.HashMap;
21  import java.util.List;
22  import java.util.Map;
23  import java.util.Map.Entry;
24  import java.util.Set;
25  import org.junit.Assert;
26  import static org.junit.Assert.assertTrue;
27  import org.junit.Test;
28  import org.owasp.dependencycheck.dependency.Vulnerability;
29  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
30  import org.owasp.dependencycheck.utils.DependencyVersion;
31  
32  /**
33   *
34   * @author Jeremy Long
35   */
36  public class CveDBIntegrationTest extends BaseDBTestCase {
37  
38      /**
39       * Pretty useless tests of open, commit, and close methods, of class CveDB.
40       */
41      @Test
42      public void testOpen() throws Exception {
43          CveDB instance = null;
44          try {
45              instance = new CveDB();
46              instance.open();
47              instance.commit();
48          } finally {
49              if (instance != null) {
50                  instance.close();
51              }
52          }
53      }
54  
55      /**
56       * Test of getCPEs method, of class CveDB.
57       */
58      @Test
59      public void testGetCPEs() throws Exception {
60          CveDB instance = null;
61          try {
62              instance = new CveDB();
63              String vendor = "apache";
64              String product = "struts";
65              instance.open();
66              Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
67              assertTrue(result.size() > 5);
68          } finally {
69              if (instance != null) {
70                  instance.close();
71              }
72          }
73      }
74  
75      /**
76       * Test of getVulnerabilities method, of class CveDB.
77       */
78      @Test
79      public void testGetVulnerabilities() throws Exception {
80          String cpeStr = "cpe:/a:apache:struts:2.1.2";
81          CveDB instance = null;
82          List<Vulnerability> results;
83          try {
84              instance = new CveDB();
85              instance.open();
86              results = instance.getVulnerabilities(cpeStr);
87              assertTrue(results.size() > 5);
88              cpeStr = "cpe:/a:jruby:jruby:1.6.3";
89              results = instance.getVulnerabilities(cpeStr);
90              assertTrue(results.size() > 1);
91  
92              boolean found = false;
93              String expected = "CVE-2011-4838";
94              for (Vulnerability v : results) {
95                  if (expected.equals(v.getName())) {
96                      found = true;
97                      break;
98                  }
99              }
100             assertTrue("Expected " + expected + ", but was not identified", found);
101 
102             found = false;
103             expected = "CVE-2012-5370";
104             for (Vulnerability v : results) {
105                 if (expected.equals(v.getName())) {
106                     found = true;
107                     break;
108                 }
109             }
110             assertTrue("Expected " + expected + ", but was not identified", found);
111 
112         } finally {
113             if (instance != null) {
114                 instance.close();
115             }
116         }
117     }
118 
119     /**
120      * Test of getMatchingSoftware method, of class CveDB.
121      */
122     @Test
123     public void testGetMatchingSoftware() throws Exception {
124         CveDB instance = null;
125         Map<String, Boolean> versions = new HashMap<String, Boolean>();
126         DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
127         versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
128         try {
129             instance = new CveDB();
130             Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
131             Assert.assertNull(results);
132             versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
133             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
134             Assert.assertNull(results);
135 
136             versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
137             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
138             Assert.assertNotNull(results);
139             Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
140 
141             versions.clear();
142 
143             versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
144             versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
145             versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
146 
147             versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
148             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
149             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
150             versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
151 
152             identifiedVersion = new DependencyVersion("3.2.2");
153             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
154             Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
155             Assert.assertTrue(results.getValue());
156             identifiedVersion = new DependencyVersion("3.2.12");
157             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
158             Assert.assertNull(results);
159 
160             identifiedVersion = new DependencyVersion("4.0.0");
161             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
162             Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
163             Assert.assertTrue(results.getValue());
164             identifiedVersion = new DependencyVersion("4.1.0");
165             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
166             Assert.assertNull(results);
167 
168             versions.clear();
169 
170             versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
171             identifiedVersion = new DependencyVersion("1.6.3");
172             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
173             Assert.assertNotNull(results);
174         } finally {
175             if (instance != null) {
176                 instance.close();
177             }
178         }
179     }
180 
181 }