View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.data.nvdcve;
19  
20  import org.owasp.dependencycheck.BaseDBTestCase;
21  import java.util.HashMap;
22  import java.util.List;
23  import java.util.Map;
24  import java.util.Map.Entry;
25  import java.util.Set;
26  import org.junit.Assert;
27  import static org.junit.Assert.assertTrue;
28  import org.junit.Test;
29  import org.owasp.dependencycheck.dependency.Vulnerability;
30  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
31  import org.owasp.dependencycheck.utils.DependencyVersion;
32  
33  /**
34   *
35   * @author Jeremy Long
36   */
37  public class CveDBIntegrationTest extends BaseDBTestCase {
38  
39      /**
40       * Pretty useless tests of open, commit, and close methods, of class CveDB.
41       */
42      @Test
43      public void testOpen() throws Exception {
44          CveDB instance = null;
45          try {
46              instance = new CveDB();
47              instance.open();
48              instance.commit();
49          } finally {
50              if (instance != null) {
51                  instance.close();
52              }
53          }
54      }
55  
56      /**
57       * Test of getCPEs method, of class CveDB.
58       */
59      @Test
60      public void testGetCPEs() throws Exception {
61          CveDB instance = null;
62          try {
63              instance = new CveDB();
64              String vendor = "apache";
65              String product = "struts";
66              instance.open();
67              Set<VulnerableSoftware> result = instance.getCPEs(vendor, product);
68              assertTrue(result.size() > 5);
69          } finally {
70              if (instance != null) {
71                  instance.close();
72              }
73          }
74      }
75  
76      /**
77       * Test of getVulnerabilities method, of class CveDB.
78       */
79      @Test
80      public void testGetVulnerabilities() throws Exception {
81          String cpeStr = "cpe:/a:apache:struts:2.1.2";
82          CveDB instance = null;
83          List<Vulnerability> results;
84          try {
85              instance = new CveDB();
86              instance.open();
87              results = instance.getVulnerabilities(cpeStr);
88              assertTrue(results.size() > 5);
89              cpeStr = "cpe:/a:jruby:jruby:1.6.3";
90              results = instance.getVulnerabilities(cpeStr);
91              assertTrue(results.size() > 1);
92  
93              boolean found = false;
94              String expected = "CVE-2011-4838";
95              for (Vulnerability v : results) {
96                  if (expected.equals(v.getName())) {
97                      found = true;
98                      break;
99                  }
100             }
101             assertTrue("Expected " + expected + ", but was not identified", found);
102 
103             found = false;
104             expected = "CVE-2012-5370";
105             for (Vulnerability v : results) {
106                 if (expected.equals(v.getName())) {
107                     found = true;
108                     break;
109                 }
110             }
111             assertTrue("Expected " + expected + ", but was not identified", found);
112 
113         } finally {
114             if (instance != null) {
115                 instance.close();
116             }
117         }
118     }
119 
120     /**
121      * Test of getMatchingSoftware method, of class CveDB.
122      */
123     @Test
124     public void testGetMatchingSoftware() throws Exception {
125         CveDB instance = null;
126         Map<String, Boolean> versions = new HashMap<String, Boolean>();
127         DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
128         versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
129         try {
130             instance = new CveDB();
131             Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
132             Assert.assertNull(results);
133             versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
134             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
135             Assert.assertNull(results);
136 
137             versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
138             results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
139             Assert.assertNotNull(results);
140             Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
141 
142             versions.clear();
143 
144             versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
145             versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
146             versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
147 
148             versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
149             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
150             versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
151             versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
152 
153             identifiedVersion = new DependencyVersion("3.2.2");
154             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
155             Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
156             Assert.assertTrue(results.getValue());
157             identifiedVersion = new DependencyVersion("3.2.12");
158             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
159             Assert.assertNull(results);
160 
161             identifiedVersion = new DependencyVersion("4.0.0");
162             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
163             Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
164             Assert.assertTrue(results.getValue());
165             identifiedVersion = new DependencyVersion("4.1.0");
166             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
167             Assert.assertNull(results);
168 
169             versions.clear();
170 
171             versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
172             identifiedVersion = new DependencyVersion("1.6.3");
173             results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
174             Assert.assertNotNull(results);
175         } finally {
176             if (instance != null) {
177                 instance.close();
178             }
179         }
180     }
181 
182 }