View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.nvdcve;
19  
20  import org.owasp.dependencycheck.BaseDBTestCase;
21  import java.util.HashMap;
22  import java.util.List;
23  import java.util.Map;
24  import java.util.Map.Entry;
25  import java.util.Set;
26  import org.junit.Assert;
27  
28  import static org.junit.Assert.assertEquals;
29  import static org.junit.Assert.assertTrue;
30  import org.junit.Test;
31  import org.owasp.dependencycheck.dependency.Vulnerability;
32  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
33  import org.owasp.dependencycheck.utils.DependencyVersion;
34  
35  /**
36   *
37   * @author Jeremy Long
38   */
39  public class CveDBIntegrationTest extends BaseDBTestCase {
40  
41      /**
42       * Pretty useless tests of open, commit, and close methods, of class CveDB.
43       */
44      @Test
45      public void testOpen() throws Exception {
46          CveDB instance = null;
47          try {
48              instance = new CveDB();
49              instance.open();
50              instance.commit();
51          } finally {
52              if (instance != null) {
53                  instance.close();
54              }
55          }
56      }
57  
58      /**
59       * Test of getCPEs method, of class CveDB.
60       */
61      @Test
62      public void testGetCPEs() throws Exception {
63          CveDB instance = null;
64          try {
65              instance = new CveDB();
66              String vendor = "apache";
67              String product = "struts";
68              instance.open();
69              Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
70              assertTrue(result.size() > 5);
71          } finally {
72              if (instance != null) {
73                  instance.close();
74              }
75          }
76      }
77  
78      /**
79       * Test of getVulnerability method, of class CveDB.
80       */
81      @Test
82      public void testgetVulnerability() throws Exception {
83          CveDB instance = null;
84          try {
85              instance = new CveDB();
86              instance.open();
87              Vulnerability result = instance.getVulnerability("CVE-2014-0094");
88              assertEquals("The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.", result.getDescription());
89  
90          } finally {
91              if (instance != null) {
92                  instance.close();
93              }
94          }
95      }
96  
97      /**
98       * Test of getVulnerabilities method, of class CveDB.
99       */
100     @Test
101     public void testGetVulnerabilities() throws Exception {
102         String cpeStr = "cpe:/a:apache:struts:2.1.2";
103         CveDB instance = null;
104         List<Vulnerability> results;
105         try {
106             instance = new CveDB();
107             instance.open();
108             results = instance.getVulnerabilities(cpeStr);
109             assertTrue(results.size() > 5);
110             cpeStr = "cpe:/a:jruby:jruby:1.6.3";
111             results = instance.getVulnerabilities(cpeStr);
112             assertTrue(results.size() > 1);
113 
114             boolean found = false;
115             String expected = "CVE-2011-4838";
116             for (Vulnerability v : results) {
117                 if (expected.equals(v.getName())) {
118                     found = true;
119                     break;
120                 }
121             }
122             assertTrue("Expected " + expected + ", but was not identified", found);
123 
124             found = false;
125             expected = "CVE-2012-5370";
126             for (Vulnerability v : results) {
127                 if (expected.equals(v.getName())) {
128                     found = true;
129                     break;
130                 }
131             }
132             assertTrue("Expected " + expected + ", but was not identified", found);
133 
134         } finally {
135             if (instance != null) {
136                 instance.close();
137             }
138         }
139     }
140 
141     /**
142      * Test of getMatchingSoftware method, of class CveDB.
143      */
144     @Test
145     public void testGetMatchingSoftware() throws Exception {
146         CveDB instance = null;
147         Map<String, Boolean> versions = new HashMap<String, Boolean>();
148         DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
149         versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
150         try {
151             instance = new CveDB();
152             Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
153             Assert.assertNull(results);
154             versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
155             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
156             Assert.assertNull(results);
157 
158             versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
159             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
160             Assert.assertNotNull(results);
161             Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
162 
163             versions.clear();
164 
165             versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
166             versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
167             versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
168 
169             versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
170             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
171             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
172             versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
173 
174             identifiedVersion = new DependencyVersion("3.2.2");
175             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
176             Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
177             Assert.assertTrue(results.getValue());
178             identifiedVersion = new DependencyVersion("3.2.12");
179             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
180             Assert.assertNull(results);
181 
182             identifiedVersion = new DependencyVersion("4.0.0");
183             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
184             Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
185             Assert.assertTrue(results.getValue());
186             identifiedVersion = new DependencyVersion("4.1.0");
187             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
188             Assert.assertNull(results);
189 
190             versions.clear();
191 
192             versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
193             identifiedVersion = new DependencyVersion("1.6.3");
194             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
195             Assert.assertNotNull(results);
196         } finally {
197             if (instance != null) {
198                 instance.close();
199             }
200         }
201     }
202 
203 }