test: avoid polluting test classpaths with sample dependencies to be scanned

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

core/pom.xml

@@ -15,7 +15,6 @@
  */
 package org.owasp.dependencycheck;
 
-import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -24,8 +23,7 @@
 import java.io.File;
 import java.io.InputStream;
 import java.net.URISyntaxException;
-
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
+import java.util.Objects;
 
 /**
  *
@@ -43,8 +41,6 @@ public abstract class BaseTest {
      */
     @BeforeEach
     public void setUp() throws Exception {
-        System.setProperty("jcs.logSystem", "slf4j");
-        Slf4jAdapter.muteLogging(true);
         settings = new Settings();
     }
 
@@ -69,42 +65,33 @@ public static void tearDownClass() {
     }
 
     /**
-     * Returns the given resource as an InputStream using the object's class
-     * loader. The org.junit.Assume API is used so that test cases are skipped
-     * if the resource is not available.
+     * Returns the given resource as an InputStream using the object's class loader.
      *
      * @param o the object used to obtain a reference to the class loader
      * @param resource the name of the resource to load
      * @return the resource as an InputStream
      */
     public static InputStream getResourceAsStream(Object o, String resource) {
-        getResourceAsFile(o, resource);
-        return o.getClass().getClassLoader().getResourceAsStream(resource);
+        return Objects.requireNonNull(o.getClass().getClassLoader().getResourceAsStream(resource), resource + " not found on classpath");
     }
 
     /**
-     * Returns the given resource as a File using the object's class loader. The
-     * org.junit.Assume API is used so that test cases are skipped if the
-     * resource is not available.
+     * Returns the given resource as a File using the object's class loader.
      *
      * @param o the object used to obtain a reference to the class loader
      * @param resource the name of the resource to load
      * @return the resource as an File
      */
     public static File getResourceAsFile(Object o, String resource) {
         try {
-            File f = new File(o.getClass().getClassLoader().getResource(resource).toURI().getPath());
-            assumeTrue(f.exists(), String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource));
-            return f;
+            return new File(Objects.requireNonNull(o.getClass().getClassLoader().getResource(resource), resource + " not found on classpath").toURI().getPath());
         } catch (URISyntaxException e) {
             throw new UnsupportedOperationException(e);
         }
     }
 
     /**
-     * Returns the settings for the test cases.
-     *
-     * @return
+     * @return the settings for the test cases.
      */
     protected Settings getSettings() {
         return settings;

core/src/test/java/org/owasp/dependencycheck/BaseTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck;
 
+import org.hamcrest.Matchers;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
@@ -29,12 +30,12 @@
 
 import java.io.File;
 import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import java.util.stream.Collectors;
 
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -85,13 +86,9 @@ void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseException {
 
     /**
      * Test running the entire engine.
-     *
-     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
-     * @throws org.owasp.dependencycheck.exception.ReportException
-     * @throws org.owasp.dependencycheck.exception.ExceptionCollection
      */
     @Test
-    void testEngine() throws DatabaseException, ReportException, ExceptionCollection {
+    void testEngine() throws DatabaseException, ReportException {
         String testClasses = "target/test-classes";
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
@@ -100,38 +97,29 @@ void testEngine() throws DatabaseException, ReportException, ExceptionCollection
         getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, false);
-        ExceptionCollection exceptions = null;
         try (Engine instance = new Engine(getSettings())) {
             instance.scan(testClasses);
             assertTrue(instance.getDependencies().length > 0);
+
+            ExceptionCollection exceptions = null;
             try {
                 instance.analyzeDependencies();
             } catch (ExceptionCollection ex) {
-                Set<String> allowedMessages = new HashSet<>();
-                allowedMessages.add("bundle-audit");
-                allowedMessages.add("mix_audit");
-                allowedMessages.add("AssemblyAnalyzer");
-                allowedMessages.add("Failed to request component-reports");
-                allowedMessages.add("ailed to read results from the NPM Audit API");
-                allowedMessages.add("../tmp/evil.txt");
-                allowedMessages.add("malformed input off : 5, length : 1");
-                allowedMessages.add("Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt`");
-                allowedMessages.add("file from the NPM Audit API (PnpmAuditAnalyzer)");
-                for (Throwable t : ex.getExceptions()) {
-                    boolean isOk = false;
-                    if (t.getMessage() != null) {
-                        for (String msg : allowedMessages) {
-                            if (t.getMessage().contains(msg)) {
-                                isOk = true;
-                                break;
-                            }
-                        }
-                    }
-                    if (!isOk) {
-                        throw ex;
-                    }
-                    exceptions = ex;
-                }
+                List<String> allowedMessages = List.of(
+                        "../tmp/evil.txt",
+                        "invalid LOC header (bad entry name)",
+                        "malformed input off : 5, length : 1",
+                        "Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt`"
+                );
+
+                List<Throwable> unexpectedErrors = ex.getExceptions()
+                        .stream()
+                        .filter(t -> allowedMessages.stream().noneMatch(msg -> t.toString().contains(msg)))
+                        .collect(Collectors.toList());
+
+                assertThat("Analysis threw exceptions that weren't expected", unexpectedErrors, Matchers.empty());
+
+                exceptions = ex;
             }
             instance.writeReports("dependency-check sample", new File("./target/"), "ALL", exceptions);
         }

core/src/test/java/org/owasp/dependencycheck/EngineIT.java

@@ -137,7 +137,7 @@ void testAnalyze() throws Exception {
         try (Engine engine = new Engine(settings)) {
 
             instance.prepare(engine);
-            File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
+            File file = BaseTest.getResourceAsFile(this, "maven-lib/daytrader-ear-2.1.7.ear");
             Dependency dependency = new Dependency(file);
 
             int initial_size = engine.getDependencies().length;
@@ -230,8 +230,6 @@ void testAnalyzeTar() throws Exception {
         try (Engine engine = new Engine(settings)) {
             instance.prepare(null);
 
-            //File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
-            //File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
             File file = BaseTest.getResourceAsFile(this, "stagedhttp-modified.tar");
             Dependency dependency = new Dependency(file);
 
@@ -261,7 +259,6 @@ void testAnalyzeTarGz() throws Exception {
         try (Engine engine = new Engine(settings)) {
             instance.prepare(null);
 
-            //File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
             File file = BaseTest.getResourceAsFile(this, "file.tar.gz");
             //Dependency dependency = new Dependency(file);
 
@@ -322,7 +319,6 @@ void testAnalyzeTgz() throws Exception {
         try (Engine engine = new Engine(settings)) {
             instance.prepare(null);
 
-            //File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
             File file = BaseTest.getResourceAsFile(this, "file.tgz");
             int initial_size = engine.getDependencies().length;
             engine.scan(file);
@@ -408,7 +404,6 @@ void testAnalyze_badZip() throws Exception {
         try (Engine engine = new Engine(settings)) {
             instance.prepare(null);
 
-            //File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
             File file = BaseTest.getResourceAsFile(this, "test.zip");
             Dependency dependency = new Dependency(file);
             int initial_size = engine.getDependencies().length;

core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java

@@ -109,13 +109,12 @@ void testDetermineCPE_full() throws Exception {
             cpeSuppression.initialize(getSettings());
             cpeSuppression.prepare(e);
 
-            //callDetermineCPE_full("hazelcast-2.5.jar", "cpe:2.3:a:hazelcast:hazelcast:2.5:*:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
-            callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("maven-lib/spring-context-support-2.5.5.jar", "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
             callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:2.3:a:pivotal_software:spring_framework:3.0.0:release:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
             callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:2.3:a:springsource:spring_framework:3.0.0:release:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
             callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
-            callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
-            callDetermineCPE_full("xstream-1.4.8.jar", "cpe:2.3:a:xstream_project:xstream:1.4.8:*:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("maven-lib/ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+            callDetermineCPE_full("maven-lib/xstream-1.4.8.jar", "cpe:2.3:a:xstream_project:xstream:1.4.8:*:*:*:*:*:*:*", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
         } finally {
             cpeAnalyzer.close();
         }
@@ -137,7 +136,6 @@ void testDetermineCPE_full() throws Exception {
     private void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
             JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp, CpeSuppressionAnalyzer cpeSuppression) throws Exception {
 
-        //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
         File file = BaseTest.getResourceAsFile(this, depName);
 
         Dependency dep = new Dependency(file);
@@ -170,9 +168,7 @@ private void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer
      */
     @Test
     void testDetermineCPE() throws Exception {
-        //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
-        File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
-        //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
+        File file = BaseTest.getResourceAsFile(this, "maven-lib/struts2-core-2.1.2.jar");
         Dependency struts = new Dependency(file);
         try (Engine engine = new Engine(getSettings())) {
             CpeSuppressionAnalyzer suppressionAnalyzer = new CpeSuppressionAnalyzer();
@@ -192,19 +188,16 @@ void testDetermineCPE() throws Exception {
 
             jarAnalyzer.analyze(struts, engine);
             hintAnalyzer.analyze(struts, engine);
-            //File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
             File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
             Dependency commonValidator = new Dependency(fileCommonValidator);
             jarAnalyzer.analyze(commonValidator, engine);
             hintAnalyzer.analyze(commonValidator, engine);
 
-            //File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
-            File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
+            File fileSpring = BaseTest.getResourceAsFile(this, "maven-lib/spring-core-2.5.5.jar");
             Dependency spring = new Dependency(fileSpring);
             jarAnalyzer.analyze(spring, engine);
             hintAnalyzer.analyze(spring, engine);
 
-            //File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
             File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
             Dependency spring3 = new Dependency(fileSpring3);
             jarAnalyzer.analyze(spring3, engine);

core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java

@@ -66,7 +66,7 @@ void testGetAnalysisPhase() {
     @Test
     void testAnalyze() throws Exception {
 
-        File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
+        File file = BaseTest.getResourceAsFile(this, "maven-lib/commons-fileupload-1.2.1.jar");
         File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);

core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java

@@ -233,7 +233,7 @@ void testGetMainSwiftDependency() {
     void testGetMainAndroidDependency() throws Exception {
         ArchiveAnalyzer aa = null;
         try (Engine engine = new Engine(Engine.Mode.EVIDENCE_COLLECTION, getSettings())) {
-            Dependency dependency1 = new Dependency(BaseTest.getResourceAsFile(this, "aar-1.0.0.aar"));
+            Dependency dependency1 = new Dependency(BaseTest.getResourceAsFile(this, "maven-lib/aar-1.0.0.aar"));
             dependency1.setEcosystem(Ecosystem.JAVA);
             aa = new ArchiveAnalyzer();
 

core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java

@@ -61,11 +61,9 @@ void testGetAnalysisPhase() {
      */
     @Test
     void testAnalyze() throws Exception {
-        //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
-        File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
+        File struts = BaseTest.getResourceAsFile(this, "maven-lib/struts2-core-2.1.2.jar");
         Dependency resultStruts = new Dependency(struts);
-        //File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
-        File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
+        File axis = BaseTest.getResourceAsFile(this, "maven-lib/axis2-adb-1.4.1.jar");
         Dependency resultAxis = new Dependency(axis);
         FileNameAnalyzer instance = new FileNameAnalyzer();
         instance.analyze(resultStruts, null);

core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java

@@ -64,10 +64,8 @@ void testGetAnalysisPhase() {
      */
     @Test
     void testAnalyze() throws Exception {
-        //File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
-        File guice = BaseTest.getResourceAsFile(this, "guice-3.0.jar");
+        File guice = BaseTest.getResourceAsFile(this, "maven-lib/guice-3.0.jar");
         //Dependency guice = new EngineDependency(fileg);
-        //File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
         File spring = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
         //Dependency spring = new Dependency(files);
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);

core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java

@@ -48,8 +48,7 @@ class JarAnalyzerTest extends BaseTest {
      */
     @Test
     void testAnalyze() throws Exception {
-        //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
-        File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
+        File file = BaseTest.getResourceAsFile(this, "maven-lib/struts2-core-2.1.2.jar");
         Dependency result = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
         instance.initialize(getSettings());
@@ -115,7 +114,7 @@ void testAnalyze() throws Exception {
 
     @Test
     void testAddMatchingValues() throws Exception {
-        File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
+        File file = BaseTest.getResourceAsFile(this, "maven-lib/struts2-core-2.1.2.jar");
         Dependency dependency = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
         instance.initialize(getSettings());
@@ -172,7 +171,7 @@ void testGetName() {
 
     @Test
     void testParseManifest() throws Exception {
-        File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
+        File file = BaseTest.getResourceAsFile(this, "maven-lib/xalan-2.7.0.jar");
         Dependency result = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
         List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<>();