Add support for newer ODC

2026-01-17 00:57:18 +01:00 · 2020-01-31 00:53:40 +01:00
parent 237f6638a0
commit 52c3228ac3
11 changed files with 194 additions and 40 deletions
--- a/test/ParserSpec.scala
+++ b/test/ParserSpec.scala
@@ -0,0 +1,60 @@
+import java.io.{ByteArrayOutputStream, InputStream}
+
+import org.specs2.mutable.Specification
+import com.ysoft.odc._
+
+class ParserSpec  extends Specification {
+  private def readStream(in: InputStream): Array[Byte] = {
+    val buff = new Array[Byte](1024)
+    val out = new ByteArrayOutputStream()
+    var n = 0
+    while({
+      n = in.read(buff)
+      n != -1
+    }){
+      out.write(buff, 0, n)
+    }
+    out.toByteArray
+  }
+
+  private def parseReport(reportResourceName: String) = {
+    val reportBytes: Array[Byte] = readStream(getClass.getResourceAsStream(reportResourceName))
+    OdcParser.parseXmlReport(reportBytes)
+  }
+
+  private def findDependency(identifierType: String, name: String)(implicit report: Analysis) = {
+    val found = report.dependencies.filter(_.identifiers.exists(i => i.identifierType == identifierType && i.name == name))
+    found.size match {
+      case 0 => sys.error(s"Dependency $identifierType: $name not found")
+      case 1 => (found.toSeq)(0)
+      case _ => sys.error(s"Multiple dependencies $identifierType: $name found: $found")
+    }
+  }
+
+  private def shouldHaveIdentifier(dep: Dependency, identifierType: String, name: String) = s"should have identifier $identifierType: $name" >> {
+    (dep.identifiers.exists((i: Identifier) => (i.identifierType == identifierType) && (i.name == name))) should beTrue
+  }
+
+
+  "Maven report" >> {
+    implicit val report = parseReport("dependency-check-report-maven.xml")
+    "groupId" >> {report.groupId shouldEqual "com.ysoft.security"}
+    println(report.dependencies.map(_.identifiers).mkString("\n\n"))
+    "commons-collections" >> {
+      val dep = findDependency("maven", "commons-collections:commons-collections:3.2.1")
+      dep.vulnerabilities.size shouldEqual 3
+      //shouldHaveIdentifier(dep, "cpe", "cpe:/a:apache:commons_collections:3.2.1")
+    }
+    "commons-cli" >> {
+      val dep = findDependency("maven", "commons-cli:commons-cli:1.4")
+      dep.vulnerabilities.size shouldEqual 0
+      //shouldHaveIdentifier(dep, "cpe", "cpe:/a:cli_project:cli:1.4")
+    }
+    "jackson-databind" >> {
+      val dep = findDependency("maven", "com.fasterxml.jackson.core:jackson-databind:2.9.7")
+      dep.vulnerabilities.size shouldEqual 15
+      //shouldHaveIdentifier(dep, "cpe", "cpe:/a:fasterxml:jackson:2.9.7")
+      //shouldHaveIdentifier(dep, "cpe", "cpe:/a:fasterxml:jackson-databind:2.9.7")
+    }
+  }
+}
--- a/test/VulnerabilitySpec.scala
+++ b/test/VulnerabilitySpec.scala
@@ -4,7 +4,7 @@ import org.specs2.mutable.Specification
 //noinspection ScalaUnnecessaryParentheses
 class VulnerabilitySpec extends Specification {

-  val vuln = Vulnerability("some-vuln", None, CvssRating(None, None, None, None, None, None, None), "descr", Seq(
+  val vuln = Vulnerability("some-vuln", /*None,*/ CvssRating(None, None, None, None, None, None, None), "descr", Seq(
    VulnerableSoftware(allPreviousVersion = false, "cpe:/a:ftp:ftp"),
    VulnerableSoftware(allPreviousVersion = false, "cpe:/a:ssh:ssh:1.0"),
    VulnerableSoftware(allPreviousVersion = false, "cpe:/a:asd:asd:1.0")
--- a/test/resources/dependency-check-report-maven.xml
+++ b/test/resources/dependency-check-report-maven.xml
--- a/test/resources/pom.xml
+++ b/test/resources/pom.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.ysoft.security</groupId>
+    <artifactId>java-demo-project</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+		<dependency>
+			<groupId>commons-collections</groupId>
+			<artifactId>commons-collections</artifactId>
+			<version>3.2.1</version>
+		</dependency>
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.4</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.9.7</version>
+        </dependency>
+    </dependencies>
+
+</project>