View Javadoc
1   /*
2    * This file is part of dependency-check-cofre.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2018 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import org.junit.After;
21  import org.junit.Before;
22  import org.junit.Test;
23  import org.owasp.dependencycheck.BaseTest;
24  import org.owasp.dependencycheck.Engine;
25  import org.owasp.dependencycheck.dependency.Dependency;
26  import org.owasp.dependencycheck.dependency.Evidence;
27  import org.owasp.dependencycheck.dependency.EvidenceType;
28  import org.owasp.dependencycheck.dependency.Vulnerability;
29  import org.owasp.dependencycheck.utils.Settings;
30  
31  import java.io.File;
32  
33  import static org.hamcrest.CoreMatchers.is;
34  import static org.hamcrest.MatcherAssert.assertThat;
35  import static org.junit.Assert.assertEquals;
36  import static org.junit.Assert.assertTrue;
37  
38  import org.owasp.dependencycheck.BaseDBTestCase;
39  import org.owasp.dependencycheck.data.update.RetireJSDataSource;
40  
41  public class RetireJsAnalyzerIT extends BaseDBTestCase {
42  
43      private RetireJsAnalyzer analyzer;
44      private Engine engine;
45  
46      @Before
47      @Override
48      public void setUp() throws Exception {
49          super.setUp();
50          engine = new Engine(getSettings());
51          engine.openDatabase(true, true);
52          RetireJSDataSource ds = new RetireJSDataSource();
53          ds.update(engine);
54          analyzer = new RetireJsAnalyzer();
55          analyzer.setFilesMatched(true);
56          analyzer.initialize(getSettings());
57          analyzer.prepare(engine);
58      }
59  
60      @After
61      @Override
62      public void tearDown() throws Exception {
63          analyzer.close();
64          engine.close();
65          super.tearDown();
66      }
67  
68      @Test
69      public void testGetName() {
70          assertThat(analyzer.getName(), is("RetireJS Analyzer"));
71      }
72  
73      /**
74       * Test of getSupportedExtensions method.
75       */
76      @Test
77      public void testAcceptSupportedExtensions() throws Exception {
78          analyzer.setEnabled(true);
79          String[] files = {"test.js", "test.min.js"};
80          for (String name : files) {
81              assertTrue(name, analyzer.accept(new File(name)));
82          }
83      }
84  
85      /**
86       * Test of getAnalysisPhase method.
87       */
88      @Test
89      public void testGetAnalysisPhase() {
90          AnalysisPhase expResult = AnalysisPhase.FINDING_ANALYSIS;
91          AnalysisPhase result = analyzer.getAnalysisPhase();
92          assertEquals(expResult, result);
93      }
94  
95      /**
96       * Test of getAnalyzerEnabledSettingKey method.
97       */
98      @Test
99      public void testGetAnalyzerEnabledSettingKey() {
100         String expResult = Settings.KEYS.ANALYZER_RETIREJS_ENABLED;
101         String result = analyzer.getAnalyzerEnabledSettingKey();
102         assertEquals(expResult, result);
103     }
104 
105     /**
106      * Test of inspect method.
107      *
108      * @throws Exception is thrown when an exception occurs.
109      */
110     @Test
111     public void testJquery() throws Exception {
112         File file = BaseTest.getResourceAsFile(this, "javascript/jquery-1.6.2.js");
113         Dependency dependency = new Dependency(file);
114         analyzer.analyze(dependency, engine);
115 
116         assertEquals("jquery", dependency.getName());
117         assertEquals("1.6.2", dependency.getVersion());
118 
119         assertEquals(1, dependency.getEvidence(EvidenceType.PRODUCT).size());
120         Evidence product = dependency.getEvidence(EvidenceType.PRODUCT).iterator().next();
121         assertEquals("name", product.getName());
122         assertEquals("jquery", product.getValue());
123 
124         assertEquals(1, dependency.getEvidence(EvidenceType.VERSION).size());
125         Evidence version = dependency.getEvidence(EvidenceType.VERSION).iterator().next();
126         assertEquals("version", version.getName());
127         assertEquals("1.6.2", version.getValue());
128 
129         assertTrue(dependency.getVulnerabilities().size() >= 3);
130         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2015-9251")));
131         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2011-4969")));
132         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2012-6708")));
133     }
134 
135     /**
136      * Test of inspect method.
137      *
138      * @throws Exception is thrown when an exception occurs.
139      */
140     @Test
141     public void testAngular() throws Exception {
142         File file = BaseTest.getResourceAsFile(this, "javascript/angular.safe.js");
143         Dependency dependency = new Dependency(file);
144         analyzer.analyze(dependency, engine);
145 
146         assertEquals("angularjs", dependency.getName());
147         assertEquals("1.2.27", dependency.getVersion());
148 
149         assertEquals(1, dependency.getEvidence(EvidenceType.PRODUCT).size());
150         Evidence product = dependency.getEvidence(EvidenceType.PRODUCT).iterator().next();
151         assertEquals("name", product.getName());
152         assertEquals("angularjs", product.getValue());
153 
154         assertEquals(1, dependency.getEvidence(EvidenceType.VERSION).size());
155         Evidence version = dependency.getEvidence(EvidenceType.VERSION).iterator().next();
156         assertEquals("version", version.getName());
157         assertEquals("1.2.27", version.getValue());
158 
159         assertTrue("At leats 6 vulnerabilities should be detected",
160                 dependency.getVulnerabilities().size() >= 6);
161         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("Universal CSP bypass via add-on in Firefox")));
162         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("XSS in $sanitize in Safari/Firefox")));
163         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("DOS in $sanitize")));
164         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("The attribute usemap can be used as a security exploit")));
165     }
166 
167     /**
168      * Test of inspect method.
169      *
170      * @throws Exception is thrown when an exception occurs.
171      */
172     @Test
173     public void testEmber() throws Exception {
174         File file = BaseTest.getResourceAsFile(this, "javascript/ember.js");
175         Dependency dependency = new Dependency(file);
176         analyzer.analyze(dependency, engine);
177 
178         assertEquals("ember", dependency.getName());
179         assertEquals("1.3.0", dependency.getVersion());
180 
181         assertEquals(1, dependency.getEvidence(EvidenceType.PRODUCT).size());
182         Evidence product = dependency.getEvidence(EvidenceType.PRODUCT).iterator().next();
183         assertEquals("name", product.getName());
184         assertEquals("ember", product.getValue());
185 
186         assertEquals(1, dependency.getEvidence(EvidenceType.VERSION).size());
187         Evidence version = dependency.getEvidence(EvidenceType.VERSION).iterator().next();
188         assertEquals("version", version.getName());
189         assertEquals("1.3.0", version.getValue());
190 
191         assertTrue(dependency.getVulnerabilities().size() >= 3);
192         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2014-0013")));
193         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2014-0014")));
194         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("CVE-2014-0046")));
195     }
196 }