View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import static org.hamcrest.CoreMatchers.is;
21  import static org.junit.Assert.assertThat;
22  import static org.junit.Assert.assertTrue;
23  
24  import java.io.File;
25  
26  import org.junit.After;
27  import org.junit.Assume;
28  import org.junit.Before;
29  import org.junit.Test;
30  import org.owasp.dependencycheck.BaseTest;
31  import org.owasp.dependencycheck.Engine;
32  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
33  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
34  import org.owasp.dependencycheck.dependency.Dependency;
35  import org.owasp.dependencycheck.utils.Settings;
36  import org.slf4j.Logger;
37  import org.slf4j.LoggerFactory;
38  
39  /**
40   * Unit tests for {@link RubyBundleAuditAnalyzer}.
41   *
42   * @author Dale Visser
43   */
44  public class RubyBundleAuditAnalyzerTest extends BaseTest {
45  
46      private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
47  
48      /**
49       * The analyzer to test.
50       */
51      RubyBundleAuditAnalyzer analyzer;
52  
53      /**
54       * Correctly setup the analyzer for testing.
55       *
56       * @throws Exception thrown if there is a problem
57       */
58      @Before
59      public void setUp() throws Exception {
60      	Settings.initialize();
61          analyzer = new RubyBundleAuditAnalyzer();
62          analyzer.setFilesMatched(true);
63      }
64  
65      /**
66       * Cleanup the analyzer's temp files, etc.
67       *
68       * @throws Exception thrown if there is a problem
69       */
70      @After
71      public void tearDown() throws Exception {
72      	Settings.cleanup();
73          analyzer.close();
74          analyzer = null;
75      }
76  
77      /**
78       * Test Ruby Gemspec name.
79       */
80      @Test
81      public void testGetName() {
82          assertThat(analyzer.getName(), is("Ruby Bundle Audit Analyzer"));
83      }
84  
85      /**
86       * Test Ruby Bundler Audit file support.
87       */
88      @Test
89      public void testSupportsFiles() {
90          assertThat(analyzer.accept(new File("Gemfile.lock")), is(true));
91      }
92  
93      /**
94       * Test Ruby BundlerAudit analysis.
95       *
96       * @throws AnalysisException is thrown when an exception occurs.
97       */
98      @Test
99      public void testAnalysis() throws AnalysisException, DatabaseException {
100     	try {
101             analyzer.initialize();
102 
103             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
104                     "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
105             final Engine engine = new Engine();
106             analyzer.analyze(result, engine);
107             int size = engine.getDependencies().size();
108             assertThat(size, is(1));
109             
110             Dependency dependency = engine.getDependencies().get(0);
111             assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
112             assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
113             
114         } catch (Exception e) {
115             LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
116             Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
117         }
118     }
119 
120     /**
121      * Test when Ruby bundle-audit is not available on the system.
122      *
123      * @throws AnalysisException is thrown when an exception occurs.
124      */
125     @Test
126     public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
127     	//set a non-exist bundle-audit
128         Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
129         try {
130             //initialize should fail.
131 			analyzer.initialize();
132 		} catch (Exception e) {
133 			//expected, so ignore.
134 		}
135         finally {
136 	        assertThat(analyzer.isEnabled(), is(false));
137 			LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
138         }
139     }
140 }