View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.util.Collections;
23  import java.util.List;
24  import java.util.Set;
25  import org.apache.lucene.index.CorruptIndexException;
26  import org.apache.lucene.queryparser.classic.ParseException;
27  import org.junit.Assert;
28  import static org.junit.Assert.assertTrue;
29  import org.junit.Test;
30  import org.owasp.dependencycheck.BaseTest;
31  import org.owasp.dependencycheck.BaseDBTestCase;
32  import org.owasp.dependencycheck.data.cpe.IndexEntry;
33  import org.owasp.dependencycheck.dependency.Confidence;
34  import org.owasp.dependencycheck.dependency.Dependency;
35  import org.owasp.dependencycheck.dependency.Identifier;
36  
37  /**
38   *
39   * @author Jeremy Long
40   */
41  public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
42  
43      /**
44       * Tests of buildSearch of class CPEAnalyzer.
45       *
46       * @throws IOException is thrown when an IO Exception occurs.
47       * @throws CorruptIndexException is thrown when the index is corrupt.
48       * @throws ParseException is thrown when a parse exception occurs
49       */
50      @Test
51      public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
52          Set<String> productWeightings = Collections.singleton("struts2");
53  
54          Set<String> vendorWeightings = Collections.singleton("apache");
55  
56          String vendor = "apache software foundation";
57          String product = "struts 2 core";
58          String version = "2.1.2";
59          CPEAnalyzer instance = new CPEAnalyzer();
60  
61          String queryText = instance.buildSearch(vendor, product, null, null);
62          String expResult = " product:( struts 2 core )  AND  vendor:( apache software foundation ) ";
63          Assert.assertTrue(expResult.equals(queryText));
64  
65          queryText = instance.buildSearch(vendor, product, null, productWeightings);
66          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:( apache software foundation ) ";
67          Assert.assertTrue(expResult.equals(queryText));
68  
69          queryText = instance.buildSearch(vendor, product, vendorWeightings, null);
70          expResult = " product:( struts 2 core )  AND  vendor:(  apache^5 software foundation ) ";
71          Assert.assertTrue(expResult.equals(queryText));
72  
73          queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
74          expResult = " product:(  struts^5 struts2^5 2 core )  AND  vendor:(  apache^5 software foundation ) ";
75          Assert.assertTrue(expResult.equals(queryText));
76      }
77  
78      /**
79       * Test of determineCPE method, of class CPEAnalyzer.
80       *
81       * @throws Exception is thrown when an exception occurs
82       */
83      @Test
84      public void testDetermineCPE_full() throws Exception {
85          CPEAnalyzer instance = new CPEAnalyzer();
86          instance.open();
87          FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
88          JarAnalyzer jarAnalyzer = new JarAnalyzer();
89          HintAnalyzer hAnalyzer = new HintAnalyzer();
90          FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
91  
92          try {
93              //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
94              callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
95              callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
96              callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
97              callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
98              callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
99              callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
100         } finally {
101             instance.close();
102         }
103     }
104 
105     /**
106      * Test of determineCPE method, of class CPEAnalyzer.
107      *
108      * @throws Exception is thrown when an exception occurs
109      */
110     public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer instance, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
111 
112         //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
113         File file = BaseTest.getResourceAsFile(this, depName);
114 
115         Dependency dep = new Dependency(file);
116 
117         fnAnalyzer.analyze(dep, null);
118         jarAnalyzer.analyze(dep, null);
119         hAnalyzer.analyze(dep, null);
120         instance.analyze(dep, null);
121         fp.analyze(dep, null);
122 
123         if (expResult != null) {
124             Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
125             Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
126         } else {
127             for (Identifier i : dep.getIdentifiers()) {
128                 Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
129             }
130         }
131     }
132 
133     /**
134      * Test of determineCPE method, of class CPEAnalyzer.
135      *
136      * @throws Exception is thrown when an exception occurs
137      */
138     @Test
139     public void testDetermineCPE() throws Exception {
140         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
141         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
142         //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
143         Dependency struts = new Dependency(file);
144 
145         FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
146         fnAnalyzer.analyze(struts, null);
147 
148         HintAnalyzer hintAnalyzer = new HintAnalyzer();
149         JarAnalyzer jarAnalyzer = new JarAnalyzer();
150         jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
151 
152         jarAnalyzer.analyze(struts, null);
153         hintAnalyzer.analyze(struts, null);
154         //File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
155         File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
156         Dependency commonValidator = new Dependency(fileCommonValidator);
157         jarAnalyzer.analyze(commonValidator, null);
158         hintAnalyzer.analyze(commonValidator, null);
159 
160         //File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
161         File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
162         Dependency spring = new Dependency(fileSpring);
163         jarAnalyzer.analyze(spring, null);
164         hintAnalyzer.analyze(spring, null);
165 
166         //File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
167         File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
168         Dependency spring3 = new Dependency(fileSpring3);
169         jarAnalyzer.analyze(spring3, null);
170         hintAnalyzer.analyze(spring3, null);
171 
172         CPEAnalyzer instance = new CPEAnalyzer();
173         instance.open();
174         instance.determineCPE(commonValidator);
175         instance.determineCPE(struts);
176         instance.determineCPE(spring);
177         instance.determineCPE(spring3);
178         instance.close();
179 
180         String expResult = "cpe:/a:apache:struts:2.1.2";
181         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
182         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
183         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
184 
185         for (Identifier i : commonValidator.getIdentifiers()) {
186             Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
187         }
188 
189         Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
190         Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
191         Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
192 
193         //the following two only work if the HintAnalyzer is used.
194         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
195         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
196         jarAnalyzer.close();
197     }
198 
199     /**
200      * Test of determineIdentifiers method, of class CPEAnalyzer.
201      *
202      * @throws Exception is thrown when an exception occurs
203      */
204     @Test
205     public void testDetermineIdentifiers() throws Exception {
206         Dependency openssl = new Dependency();
207         openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
208         openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
209         openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
210 
211         CPEAnalyzer instance = new CPEAnalyzer();
212         instance.open();
213         instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
214         instance.close();
215 
216         String expResult = "cpe:/a:openssl:openssl:1.0.1c";
217         Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
218 
219         assertTrue(openssl.getIdentifiers().contains(expIdentifier));
220 
221     }
222 
223     /**
224      * Test of searchCPE method, of class CPEAnalyzer.
225      *
226      * @throws Exception is thrown when an exception occurs
227      */
228     @Test
229     public void testSearchCPE() throws Exception {
230         String vendor = "apache software foundation";
231         String product = "struts 2 core";
232         String version = "2.1.2";
233         String expVendor = "apache";
234         String expProduct = "struts";
235 
236         CPEAnalyzer instance = new CPEAnalyzer();
237         instance.open();
238 
239         Set<String> productWeightings = Collections.singleton("struts2");
240 
241         Set<String> vendorWeightings = Collections.singleton("apache");
242 
243         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
244         instance.close();
245 
246         boolean found = false;
247         for (IndexEntry entry : result) {
248             if (expVendor.equals(entry.getVendor()) && expProduct.equals(entry.getProduct())) {
249                 found = true;
250                 break;
251             }
252         }
253         assertTrue("apache:struts was not identified", found);
254 
255     }
256 }