Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
`install.json` is a new type of Maven lockfile commonly used in Bazel Java projects. Implement virtual dependency scanning for such files, modeled after the existing PipAnalyzer. In addition to the testing added in this PR, it worked on our install.json file: https://github.com/batfish/batfish/blob/6688b5b49ea695e7b566a0b70403396f580b2805/maven_install.json
- Loading branch information
Showing
14 changed files
with
726 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
261 changes: 261 additions & 0 deletions
261
core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,261 @@ | ||
/* | ||
* This file is part of dependency-check-core. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
* Copyright (c) 2020 The OWASP Foundation. All Rights Reserved. | ||
*/ | ||
package org.owasp.dependencycheck.analyzer; | ||
|
||
import com.fasterxml.jackson.annotation.JsonIgnoreProperties; | ||
import com.fasterxml.jackson.annotation.JsonProperty; | ||
import com.fasterxml.jackson.databind.DeserializationFeature; | ||
import com.fasterxml.jackson.databind.ObjectMapper; | ||
import com.fasterxml.jackson.databind.ObjectReader; | ||
import com.github.packageurl.MalformedPackageURLException; | ||
import com.github.packageurl.PackageURL; | ||
import com.github.packageurl.PackageURLBuilder; | ||
import org.owasp.dependencycheck.Engine; | ||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException; | ||
import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem; | ||
import org.owasp.dependencycheck.dependency.Confidence; | ||
import org.owasp.dependencycheck.dependency.Dependency; | ||
import org.owasp.dependencycheck.dependency.EvidenceType; | ||
import org.owasp.dependencycheck.dependency.naming.GenericIdentifier; | ||
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier; | ||
import org.owasp.dependencycheck.utils.Settings; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import javax.annotation.concurrent.ThreadSafe; | ||
import java.io.File; | ||
import java.io.FileFilter; | ||
import java.io.IOException; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.Objects; | ||
import java.util.regex.Pattern; | ||
|
||
/** | ||
* Used to analyze Maven pinned dependency files named {@code *install*.json}, a Java Maven dependency lockfile | ||
* like Python's {@code requirements.txt}. | ||
* | ||
* @author dhalperi | ||
* @see <a href="https://github.com/bazelbuild/rules_jvm_external#pinning-artifacts-and-integration-with-bazels-downloader">rules_jvm_external</a> | ||
*/ | ||
@Experimental | ||
@ThreadSafe | ||
public class PinnedMavenInstallAnalyzer extends AbstractFileTypeAnalyzer { | ||
|
||
/** | ||
* The logger. | ||
*/ | ||
private static final Logger LOGGER = LoggerFactory.getLogger(PinnedMavenInstallAnalyzer.class); | ||
|
||
/** | ||
* The name of the analyzer. | ||
*/ | ||
private static final String ANALYZER_NAME = "Pinned Maven install Analyzer"; | ||
|
||
/** | ||
* The phase that this analyzer is intended to run in. | ||
*/ | ||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; | ||
|
||
/** | ||
* Pattern matching files with "install" in the basename and extension "json". | ||
* | ||
* <p>This regex is designed to explicitly skip files named {@code install.json} since those are used for | ||
* Cloudflare installations and this will save on work. | ||
*/ | ||
private static final Pattern MAVEN_INSTALL_JSON_PATTERN = Pattern.compile("(.+install.*|.*install.+)\\.json"); | ||
|
||
/** | ||
* Match any files that look like *install*.json. | ||
*/ | ||
private static final FileFilter FILTER = (File file) -> MAVEN_INSTALL_JSON_PATTERN.matcher(file.getName()).matches(); | ||
|
||
@Override | ||
protected FileFilter getFileFilter() { | ||
return FILTER; | ||
} | ||
|
||
@Override | ||
public String getName() { | ||
return ANALYZER_NAME; | ||
} | ||
|
||
@Override | ||
public AnalysisPhase getAnalysisPhase() { | ||
return ANALYSIS_PHASE; | ||
} | ||
|
||
@Override | ||
protected String getAnalyzerEnabledSettingKey() { | ||
return Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED; | ||
} | ||
|
||
@Override | ||
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { | ||
LOGGER.debug("Checking file {}", dependency.getActualFilePath()); | ||
|
||
final File dependencyFile = dependency.getActualFile(); | ||
if (!dependencyFile.isFile() || dependencyFile.length() == 0) { | ||
return; | ||
} | ||
|
||
DependencyTree tree; | ||
try { | ||
InstallFile installFile = INSTALL_FILE_READER.readValue(dependencyFile); | ||
tree = installFile.dependencyTree; | ||
} catch (IOException e) { | ||
return; | ||
} | ||
|
||
if (tree == null) { | ||
return; | ||
} else if (!Objects.equals(tree.autogeneratedSentinel, "THERE_IS_NO_DATA_ONLY_ZUUL")) { | ||
return; | ||
} | ||
|
||
engine.removeDependency(dependency); | ||
|
||
if (!Objects.equals(tree.version, "0.1.0")) { | ||
LOGGER.warn("Unsupported pinned maven_install.json version {}. Continuing optimistically.", tree.version); | ||
} | ||
|
||
List<MavenDependency> deps = tree.dependencies; | ||
if (deps == null) { | ||
deps = Collections.emptyList(); | ||
} | ||
|
||
for (MavenDependency dep : deps) { | ||
if (dep.coord == null) { | ||
LOGGER.warn("Unexpected null coordinate in {}", dependency.getActualFilePath()); | ||
continue; | ||
} | ||
|
||
LOGGER.debug("Analyzing {}", dep.coord); | ||
String[] pieces = dep.coord.split(":"); | ||
if (pieces.length < 3 || pieces.length > 5) { | ||
LOGGER.warn("Invalid maven coordinate {}", dep.coord); | ||
continue; | ||
} | ||
|
||
String group = pieces[0]; | ||
String artifact = pieces[1]; | ||
String version; | ||
String classifier = null; | ||
if (pieces.length == 3) { | ||
version = pieces[2]; | ||
} else if (pieces.length == 4) { | ||
classifier = pieces[2]; | ||
version = pieces[3]; | ||
} else { | ||
// length == 5 as guaranteed above. | ||
classifier = pieces[3]; | ||
version = pieces[4]; | ||
} | ||
|
||
if ("sources".equals(classifier)) { | ||
LOGGER.debug("Skipping sources jar {}", dep.coord); | ||
continue; | ||
} | ||
|
||
final Dependency d = new Dependency(dependency.getActualFile(), true); | ||
d.setEcosystem(Ecosystem.JAVA); | ||
d.addEvidence(EvidenceType.VENDOR, "project", "groupid", group, Confidence.HIGHEST); | ||
d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", artifact, Confidence.HIGHEST); | ||
d.addEvidence(EvidenceType.VERSION, "project", "version", version, Confidence.HIGHEST); | ||
d.setName(String.format("%s:%s", group, artifact)); | ||
d.setFilePath(String.format("%s>>%s", dependency.getActualFile(), dep.coord)); | ||
d.setFileName(dep.coord); | ||
try { | ||
final PackageURLBuilder purl = PackageURLBuilder.aPackageURL() | ||
.withType(PackageURL.StandardTypes.MAVEN) | ||
.withNamespace(group) | ||
.withName(artifact) | ||
.withVersion(version); | ||
if (classifier != null) { | ||
purl.withQualifier("classifier", classifier); | ||
} | ||
d.addSoftwareIdentifier(new PurlIdentifier(purl.build(), Confidence.HIGHEST)); | ||
} catch (MalformedPackageURLException e) { | ||
d.addSoftwareIdentifier(new GenericIdentifier("maven_install JSON coord " + dep.coord, Confidence.HIGH)); | ||
} d.setVersion(version); | ||
engine.addDependency(d); | ||
} | ||
} | ||
|
||
@Override | ||
protected void prepareFileTypeAnalyzer(Engine engine) { | ||
// No initialization needed. | ||
} | ||
|
||
/** | ||
* Represents the entire pinned Maven dependency set in an install.json file. | ||
* | ||
* <p>At the time of writing, the latest version is 0.1.0, and the dependencies are stored in {@code .dependency_tree.dependencies[].coord}. | ||
* | ||
* <p>The only top-level key we care about is {@code .dependency_tree}. | ||
*/ | ||
private static class InstallFile { | ||
@JsonProperty("dependency_tree") | ||
public DependencyTree dependencyTree; | ||
} | ||
|
||
/** | ||
* Represents the values at {@code .dependency_tree} in the {@link InstallFile install file}. | ||
*/ | ||
private static class DependencyTree { | ||
/** | ||
* A sentinel value placed in the file to indicate that it is an auto-generated pinned maven install file. | ||
*/ | ||
@JsonProperty("__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY") | ||
public String autogeneratedSentinel; | ||
|
||
/** | ||
* A list of Maven dependencies made available. Note that this list is transitively closed and pinned to a specific version of each artifact. | ||
*/ | ||
@JsonProperty("dependencies") | ||
public List<MavenDependency> dependencies; | ||
|
||
/** | ||
* The file format version. | ||
*/ | ||
@JsonProperty("version") | ||
public String version; | ||
} | ||
|
||
/** | ||
* Represents a single dependency in the list at {@code .dependency_tree.dependencies}. | ||
*/ | ||
private static class MavenDependency { | ||
/** | ||
* The standard Maven coordinate string {@code group:artifact[:optional classifier][:optional packaging]:version}. | ||
*/ | ||
@JsonProperty("coord") | ||
public String coord; | ||
} | ||
|
||
/** | ||
* A reusable reader for {@link InstallFile}. | ||
*/ | ||
private static final ObjectReader INSTALL_FILE_READER; | ||
|
||
static { | ||
ObjectMapper mapper = new ObjectMapper(); | ||
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); | ||
INSTALL_FILE_READER = mapper.readerFor(InstallFile.class); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.