diff --git a/src/test/java/org/springframework/samples/petclinic/MySqlIntegrationTests.java b/src/test/java/org/springframework/samples/petclinic/MySqlIntegrationTests.java index 867ef905b..f4aa85917 100644 --- a/src/test/java/org/springframework/samples/petclinic/MySqlIntegrationTests.java +++ b/src/test/java/org/springframework/samples/petclinic/MySqlIntegrationTests.java @@ -16,8 +16,6 @@ package org.springframework.samples.petclinic; -import static org.assertj.core.api.Assertions.assertThat; - import org.junit.jupiter.api.Test; import org.junit.jupiter.api.condition.DisabledInNativeImage; import org.springframework.beans.factory.annotation.Autowired; @@ -26,6 +24,8 @@ import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.boot.test.web.server.LocalServerPort; import org.springframework.boot.testcontainers.service.connection.ServiceConnection; import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.core.io.buffer.DefaultDataBuffer; +import org.springframework.core.io.buffer.DefaultDataBufferFactory; import org.springframework.http.HttpStatus; import org.springframework.http.RequestEntity; import org.springframework.http.ResponseEntity; @@ -37,6 +37,8 @@ import org.testcontainers.containers.MySQLContainer; import org.testcontainers.junit.jupiter.Container; import org.testcontainers.junit.jupiter.Testcontainers; +import static org.assertj.core.api.Assertions.assertThat; + @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) @ActiveProfiles("mysql") @Testcontainers(disabledWithoutDocker = true) @@ -57,8 +59,28 @@ class MySqlIntegrationTests { @Autowired private RestTemplateBuilder builder; + void simulateVulnerableMethodCall() throws Exception { + /* + Sonatype Runtime Agent - [TIME]: *** Vulnerable CLASS LOADED [className=org/springframework/core/io/buffer/DefaultDataBuffer] by the JVM + Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Class-Loaded' to component 22d73bef97aff8a74a99 in application: a50576c3cd894d20b24dc0d98eea084b + Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='22d73bef97aff8a74a99'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/3d62858ec88e49e0afd552066cb160ad + Sonatype Runtime Agent - [TIME]: *** Class with vulnerable METHOD LOADED [className=org/springframework/core/io/buffer/DefaultDataBuffer, methodName=split, methodDescriptor=(I)Lorg/springframework/core/io/buffer/DataBuffer;] by the JVM + Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Method-Loaded' to component 22d73bef97aff8a74a99 in application: a50576c3cd894d20b24dc0d98eea084b + Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='22d73bef97aff8a74a99'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/47fa37da85d8447f8c101d4db35ec797 + Sonatype Runtime Agent - [TIME]: *** Vulnerable METHOD CALLED [className=org/springframework/core/io/buffer/DefaultDataBuffer, methodName=split, methodDescriptor=(I)Lorg/springframework/core/io/buffer/DataBuffer;] + Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Method-Called' to component 22d73bef97aff8a74a99 in application: a50576c3cd894d20b24dc0d98eea084b + Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='22d73bef97aff8a74a99'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/6a969f11748f45abba95870fcd7747bb + */ + DefaultDataBufferFactory defaultDataBufferFactory = new DefaultDataBufferFactory(); + DefaultDataBuffer defaultDataBuffer = defaultDataBufferFactory.allocateBuffer(1024); + defaultDataBuffer.split(0); + } + @Test void testFindAll() throws Exception { + // Demo: Simulate Runtime-Method-Called + simulateVulnerableMethodCall(); + vets.findAll(); vets.findAll(); // served from cache } diff --git a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java index 86cafdf94..4cdad9a2c 100644 --- a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java +++ b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java @@ -78,19 +78,39 @@ public class PostgresIntegrationTests { .run(args); } - @Test - void testFindAll() throws Exception { - // Demo: Inject dependency intentionally + void simulateVulnerableClassWithMethodLoaded() { /* - Sonatype Runtime Agent - [TIME]: *** Vulnerable CLASS LOADED [className=ch/qos/logback/core/net/HardenedObjectInputStream] by the JVM - Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Class-Loaded' to component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b - Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/74387681c75446a5924812d032c77cad - Sonatype Runtime Agent - [TIME]: *** Class with vulnerable METHOD LOADED [className=ch/qos/logback/core/net/HardenedObjectInputStream, methodName=, methodDescriptor=(Ljava/io/InputStream;[Ljava/lang/String;)V] by the JVM - Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Method-Loaded' to component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b - Sonatype Runtime Agent - [TIME]: Component evaluation for [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application a50576c3cd894d20b24dc0d98eea084b successful. Result URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/488f999c6730499a8cd454b37d3201b2 - >> org.springframework.samples.petclinic.PostgresIntegrationTests loaded ch.qos.logback.core.net.HardenedObjectInputStream + * Sonatype Runtime Agent - [TIME]: *** Vulnerable CLASS LOADED + * [className=ch/qos/logback/core/net/HardenedObjectInputStream] by the JVM + * Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Class-Loaded' to + * component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b + * Sonatype Runtime Agent - [TIME]: Component evaluation for + * [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application + * a50576c3cd894d20b24dc0d98eea084b successful. Result + * URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/ + * 74387681c75446a5924812d032c77cad Sonatype Runtime Agent - [TIME]: *** Class + * with vulnerable METHOD LOADED + * [className=ch/qos/logback/core/net/HardenedObjectInputStream, + * methodName=, + * methodDescriptor=(Ljava/io/InputStream;[Ljava/lang/String;)V] by the JVM + * Sonatype Runtime Agent - [TIME]: Assigning label 'Runtime-Method-Loaded' to + * component 2f9f280219a9922a7420 in application: a50576c3cd894d20b24dc0d98eea084b + * Sonatype Runtime Agent - [TIME]: Component evaluation for + * [ComponentEvaluation{hash='2f9f280219a9922a7420'}] in application + * a50576c3cd894d20b24dc0d98eea084b successful. Result + * URL=api/v2/evaluation/applications/a50576c3cd894d20b24dc0d98eea084b/results/ + * 488f999c6730499a8cd454b37d3201b2 >> + * org.springframework.samples.petclinic.PostgresIntegrationTests loaded + * ch.qos.logback.core.net.HardenedObjectInputStream */ System.out.println(">> " + getClass().getName() + " loaded " + HardenedObjectInputStream.class.getName()); + } + + @Test + void testFindAll() throws Exception { + // Demo: Simulate Runtime-Class-Loaded and Runtime-Method-Loaded + simulateVulnerableClassWithMethodLoaded(); + vets.findAll(); vets.findAll(); // served from cache }