test: Ensure packaged suppressions and hints are validated for loading consistently

Uses the actual analyzers to load them and ensure they can be parsed correctly

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -263,6 +263,9 @@ private void loadHostedSuppressionBaseData(final SuppressionParser parser, final
                     HostedSuppressionsDataSource.DEFAULT_SUPPRESSIONS_URL);
             final URL url = new URL(configuredUrl);
             final String fileName = new File(url.getPath()).getName();
+            if (fileName.isBlank()) {
+                throw new IllegalArgumentException("Hosted Suppression URL must imply a filename");
+            }
             final File repoFile = new File(getSettings().getDataDirectory(), fileName);
             boolean repoEmpty = !repoFile.isFile() || repoFile.length() <= 1L;
             if (repoEmpty) {
@@ -333,18 +336,6 @@ private void loadCachedHostedSuppressionsRules(final SuppressionParser parser, f
         }
     }
 
-    private static boolean forceUpdateHostedSuppressions(final Engine engine, final File repoFile) {
-        final HostedSuppressionsDataSource ds = new HostedSuppressionsDataSource();
-        boolean repoEmpty = true;
-        try {
-            ds.update(engine);
-            repoEmpty = !repoFile.isFile() || repoFile.length() <= 1L;
-        } catch (UpdateException ex) {
-            LOGGER.warn("Failed to update the Hosted Suppression file", ex);
-        }
-        return repoEmpty;
-    }
-
     /**
      * Load a single suppression rules file from the path provided using the
      * parser provided.
@@ -407,19 +398,17 @@ private List<SuppressionRule> loadSuppressionFile(final SuppressionParser parser
                     }
                 }
             }
-            if (file != null) {
-                if (!file.exists()) {
-                    final String msg = String.format("Suppression file '%s' does not exist", file.getPath());
-                    LOGGER.warn(msg);
-                    throw new SuppressionParseException(msg);
-                }
-                try {
-                    list.addAll(parser.parseSuppressionRules(file));
-                } catch (SuppressionParseException ex) {
-                    LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
-                    LOGGER.warn(ex.getMessage());
-                    throw ex;
-                }
+            if (!file.exists()) {
+                final String msg = String.format("Suppression file '%s' does not exist", file.getPath());
+                LOGGER.warn(msg);
+                throw new SuppressionParseException(msg);
+            }
+            try {
+                list.addAll(parser.parseSuppressionRules(file));
+            } catch (SuppressionParseException ex) {
+                LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
+                LOGGER.warn(ex.getMessage());
+                throw ex;
             }
         } catch (DownloadFailedException ex) {
             throwSuppressionParseException("Unable to fetch the configured suppression file", ex, suppressionFilePath);

core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.jetbrains.annotations.VisibleForTesting;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -327,4 +328,14 @@ private void loadHintRules() throws HintParseException {
         LOGGER.debug("{} hint rules were loaded.", hints.length);
         LOGGER.debug("{} duplicating hint rules were loaded.", vendorHints.length);
     }
+
+    @VisibleForTesting
+    HintRule[] getHintRules() {
+        return hints;
+    }
+
+    @VisibleForTesting
+    VendorDuplicatingHintRule[] getVendorDuplicatingHintRules() {
+        return vendorHints;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

@@ -22,6 +22,7 @@
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
 import javax.annotation.concurrent.NotThreadSafe;
 import org.apache.commons.lang3.time.DateFormatUtils;
@@ -856,4 +857,30 @@ public String toString() {
         sb.append('}');
         return sb.toString();
     }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        SuppressionRule that = (SuppressionRule) o;
+        return base == that.base
+                && Objects.equals(filePath, that.filePath)
+                && Objects.equals(sha1, that.sha1)
+                && Objects.equals(cpe, that.cpe)
+                && Objects.equals(cvssBelow, that.cvssBelow)
+                && Objects.equals(cvssV2Below, that.cvssV2Below)
+                && Objects.equals(cvssV3Below, that.cvssV3Below)
+                && Objects.equals(cvssV4Below, that.cvssV4Below)
+                && Objects.equals(cwe, that.cwe)
+                && Objects.equals(cve, that.cve)
+                && Objects.equals(vulnerabilityNames, that.vulnerabilityNames)
+                && Objects.equals(gav, that.gav)
+                && Objects.equals(packageUrl, that.packageUrl)
+                && Objects.equals(notes, that.notes)
+                && Objects.equals(until, that.until);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(filePath, sha1, cpe, cvssBelow, cvssV2Below, cvssV3Below, cvssV4Below, cwe, cve, vulnerabilityNames, gav, packageUrl, notes, base, until);
+    }
 }

core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java

@@ -17,25 +17,33 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.jspecify.annotations.NonNull;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.Engine.Mode;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.Settings.KEYS;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 
+import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.not;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer.SUPPRESSION_OBJECT_KEY;
 
 /**
  * @author Jeremy Long
@@ -134,12 +142,8 @@ void testFailureToLocateSuppressionFileAnywhere() {
      */
     private int getNumberOfRulesLoadedInCoreFile() throws Exception {
         getSettings().removeProperty(KEYS.SUPPRESSION_FILE);
-        final AbstractSuppressionAnalyzerImpl coreFileAnalyzer = new AbstractSuppressionAnalyzerImpl();
-        coreFileAnalyzer.initialize(getSettings());
-        Engine engine = new Engine(Mode.EVIDENCE_COLLECTION, getSettings());
-        coreFileAnalyzer.prepare(engine);
-        int count = AbstractSuppressionAnalyzer.getRuleCount(engine);
-        return count;
+        Engine engine = prepareSuppressions();
+        return AbstractSuppressionAnalyzer.getRuleCount(engine);
     }
 
     /**
@@ -152,13 +156,53 @@ private int getNumberOfRulesLoadedInCoreFile() throws Exception {
      */
     private int getNumberOfRulesLoadedFromPath(final String path) throws Exception {
         getSettings().setString(KEYS.SUPPRESSION_FILE, path);
+        Engine engine = prepareSuppressions();
+        return AbstractSuppressionAnalyzer.getRuleCount(engine);
+    }
+
+    private @NonNull Engine prepareSuppressions() throws InvalidSettingException, InitializationException {
         final AbstractSuppressionAnalyzerImpl fileAnalyzer = new AbstractSuppressionAnalyzerImpl();
         fileAnalyzer.initialize(getSettings());
         Downloader.getInstance().configure(getSettings());
         Engine engine = new Engine(Mode.EVIDENCE_COLLECTION, getSettings());
         fileAnalyzer.prepare(engine);
-        int count = AbstractSuppressionAnalyzer.getRuleCount(engine);
-        return count;
+        return engine;
+    }
+
+    @Nested
+    class CoreSuppressionsLoading {
+        @Test
+        void testLoadCorePackagedSuppressions() throws Exception {
+            List<SuppressionRule> baseRules = assertAllBaseSuppressionRulesAreMarkedCorrectly();
+
+            assertAllHostedSnapshotSuppressionsAreMarkedAsBase(baseRules);
+        }
+
+        private void assertAllHostedSnapshotSuppressionsAreMarkedAsBase(List<SuppressionRule> baseRules) throws InvalidSettingException, InitializationException {
+            getSettings().setBoolean(KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
+            getSettings().setString(KEYS.HOSTED_SUPPRESSIONS_URL, "https://intentionally-bad-url/hosted-suppressions.xml");
+            Engine engine = prepareSuppressions();
+
+            @SuppressWarnings("unchecked") List<SuppressionRule> allRules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);
+
+            List<SuppressionRule> hostedSnapshotRules = allRules.stream().filter(r -> !baseRules.contains(r)).collect(Collectors.toList());
+            assertThat(hostedSnapshotRules, not(empty()));
+            assertThat("Expected all suppressions in hosted suppressions snapshot file to be marked as base", allRulesNotMarkedAsBase(hostedSnapshotRules), empty());
+        }
+
+        private @NonNull List<SuppressionRule> assertAllBaseSuppressionRulesAreMarkedCorrectly() throws InvalidSettingException, InitializationException {
+            getSettings().setBoolean(KEYS.HOSTED_SUPPRESSIONS_ENABLED, false);
+            Engine engine = prepareSuppressions();
+
+            @SuppressWarnings("unchecked") List<SuppressionRule> baseRules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);
+            assertThat(baseRules, not(empty()));
+            assertThat("Expected all suppressions in base file to be marked as base", allRulesNotMarkedAsBase(baseRules), empty());
+            return baseRules;
+        }
+
+        private @NonNull List<SuppressionRule> allRulesNotMarkedAsBase(List<SuppressionRule> baseRules) {
+            return baseRules.stream().filter(r -> !r.isBase()).collect(Collectors.toList());
+        }
     }
 
     public static class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {

core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java

@@ -15,6 +15,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
@@ -26,7 +27,11 @@
 import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
+import java.util.List;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.not;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -130,6 +135,19 @@ void testAnalyze_1() throws Exception {
         assertEquals(1, d.getEvidence(EvidenceType.VENDOR).size(), "vendor evidence mismatch");
         assertEquals(1, d.getEvidence(EvidenceType.PRODUCT).size(), "product evidence mismatch");
         assertEquals(2, d.getEvidence(EvidenceType.VERSION).size(), "version evidence mismatch");
+    }
+
+    @Nested
+    class CoreHintsLoading {
+        @Test
+        void testLoadCorePackagedHints() throws Exception {
+            getSettings().removeProperty(Settings.KEYS.HINTS_FILE);
+            HintAnalyzer instance = new HintAnalyzer();
+            instance.initialize(getSettings());
+            instance.prepare(null);
 
+            assertThat(List.of(instance.getHintRules()), not(empty()));
+            assertThat(List.of(instance.getVendorDuplicatingHintRules()), not(empty()));
+        }
     }
 }