From 0c28bd6173d77b901e9a264ee056a382f891c3bf Mon Sep 17 00:00:00 2001 From: Daniel Halperin Date: Tue, 23 Aug 2022 14:57:58 -0700 Subject: [PATCH 1/2] Add a PinnedMavenInstallAnalyzer `install.json` is a new type of Maven lockfile commonly used in Bazel Java projects. Implement virtual dependency scanning for such files, modeled after the existing PipAnalyzer. In addition to the testing added in this PR, it worked on our install.json file: https://github.com/batfish/batfish/blob/6688b5b49ea695e7b566a0b70403396f580b2805/maven_install.json --- .../owasp/dependencycheck/taskdefs/Check.java | 5 + .../java/org/owasp/dependencycheck/App.java | 2 + .../org/owasp/dependencycheck/CliParser.java | 4 + cli/src/test/resources/sample.properties | 1 + cli/src/test/resources/sample2.properties | 1 + .../analyzer/PinnedMavenInstallAnalyzer.java | 262 ++++++++++++++++ ...rg.owasp.dependencycheck.analyzer.Analyzer | 1 + .../main/resources/dependencycheck.properties | 1 + .../PinnedMavenInstallAnalyzerTest.java | 127 ++++++++ .../test/resources/dependencycheck.properties | 1 + .../maven/BaseDependencyCheckMojo.java | 7 + src/test/resources/install.json | 15 + src/test/resources/maven_install.json | 296 ++++++++++++++++++ .../owasp/dependencycheck/utils/Settings.java | 4 + 14 files changed, 727 insertions(+) create mode 100644 core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java create mode 100644 core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java create mode 100644 src/test/resources/install.json create mode 100644 src/test/resources/maven_install.json diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 3f6a5556f2a..684f74b031d 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -302,6 +302,10 @@ public class Check extends Update { * Whether the pip analyzer should be enabled. */ private Boolean pipAnalyzerEnabled; + /** + * Whether the Maven install.json analyzer should be enabled. + */ + private Boolean mavenInstallAnalyzerEnabled; /** * Whether the pipfile analyzer should be enabled. */ @@ -1986,6 +1990,7 @@ protected void populateSettings() throws BuildException { getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath); getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); + getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java index acfd6f7737c..9cb11c3f56a 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/cli/src/main/java/org/owasp/dependencycheck/App.java @@ -511,6 +511,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException { !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_PY_PKG, Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED)); settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_AUTOCONF, Settings.KEYS.ANALYZER_AUTOCONF_ENABLED)); + settings.setBoolean(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, + !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_MAVEN_INSTALL, Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED)); settings.setBoolean(Settings.KEYS.ANALYZER_PIP_ENABLED, !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_PIP, Settings.KEYS.ANALYZER_PIP_ENABLED)); settings.setBoolean(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java index f2263123615..a70c43ab5a5 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -1196,6 +1196,10 @@ public static class ARGUMENT { * Disables the Autoconf Analyzer. */ public static final String DISABLE_AUTOCONF = "disableAutoconf"; + /** + * Disables the Maven install Analyzer. + */ + public static final String DISABLE_MAVEN_INSTALL = "disableMavenInstall"; /** * Disables the pip Analyzer. */ diff --git a/cli/src/test/resources/sample.properties b/cli/src/test/resources/sample.properties index e82ad42eee9..e47f5af1e00 100644 --- a/cli/src/test/resources/sample.properties +++ b/cli/src/test/resources/sample.properties @@ -9,6 +9,7 @@ analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true analyzer.ruby.gemspec.enabled=true analyzer.autoconf.enabled=true +analyzer.maveninstall.enabled=true analyzer.pip.enabled=true analyzer.pipfile.enabled=true analyzer.cmake.enabled=true diff --git a/cli/src/test/resources/sample2.properties b/cli/src/test/resources/sample2.properties index 1b145acb1cf..3baaa1c6d38 100644 --- a/cli/src/test/resources/sample2.properties +++ b/cli/src/test/resources/sample2.properties @@ -9,6 +9,7 @@ analyzer.python.distribution.enabled=false analyzer.python.package.enabled=false analyzer.ruby.gemspec.enabled=false analyzer.autoconf.enabled=false +analyzer.maveninstall.enabled=false analyzer.pip.enabled=false analyzer.pipfile.enabled=false analyzer.cmake.enabled=false diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java new file mode 100644 index 00000000000..b64f41ca3c7 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java @@ -0,0 +1,262 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2020 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.ObjectReader; +import com.github.packageurl.MalformedPackageURLException; +import com.github.packageurl.PackageURL; +import com.github.packageurl.PackageURLBuilder; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; +import org.owasp.dependencycheck.dependency.naming.GenericIdentifier; +import org.owasp.dependencycheck.dependency.naming.PurlIdentifier; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.annotation.concurrent.ThreadSafe; +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.util.Collections; +import java.util.List; +import java.util.Objects; +import java.util.regex.Pattern; + +/** + * Used to analyze Maven pinned dependency files named {@code *install*.json}, a Java Maven dependency lockfile + * like Python's {@code requirements.txt}. + * + * @author dhalperi + * @see rules_jvm_external + */ +@Experimental +@ThreadSafe +public class PinnedMavenInstallAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(PinnedMavenInstallAnalyzer.class); + + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Pinned Maven install Analyzer"; + + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + + /** + * Pattern matching files with "install" in the basename and extension "json". + * + *

This regex is designed to explicitly skip files named {@code install.json} since those are used for + * Cloudflare installations and this will save on work. + */ + private static final Pattern MAVEN_INSTALL_JSON_PATTERN = Pattern.compile("(.+install.*|.*install.+)\\.json"); + + /** + * Match any files that look like *install*.json. + */ + private static final FileFilter FILTER = (File file) -> MAVEN_INSTALL_JSON_PATTERN.matcher(file.getName()).matches(); + + @Override + protected FileFilter getFileFilter() { + return FILTER; + } + + @Override + public String getName() { + return ANALYZER_NAME; + } + + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED; + } + + @Override + protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + LOGGER.debug("Checking file {}", dependency.getActualFilePath()); + + final File dependencyFile = dependency.getActualFile(); + if (!dependencyFile.isFile() || dependencyFile.length() == 0) { + return; + } + + DependencyTree tree; + try { + InstallFile installFile = INSTALL_FILE_READER.readValue(dependencyFile); + tree = installFile.dependencyTree; + } catch (IOException e) { + return; + } + + if (tree == null) { + return; + } else if (!Objects.equals(tree.autogeneratedSentinel, "THERE_IS_NO_DATA_ONLY_ZUUL")) { + return; + } + + engine.removeDependency(dependency); + + if (!Objects.equals(tree.version, "0.1.0")) { + LOGGER.warn("Unsupported pinned maven_install.json version {}. Continuing optimistically.", tree.version); + } + + List deps = tree.dependencies; + if (deps == null) { + deps = Collections.emptyList(); + } + + for (MavenDependency dep : deps) { + if (dep.coord == null) { + LOGGER.warn("Unexpected null coordinate in {}", dependency.getActualFilePath()); + continue; + } + + LOGGER.debug("Analyzing {}", dep.coord); + String[] pieces = dep.coord.split(":"); + if (pieces.length < 3 || pieces.length > 5) { + LOGGER.warn("Invalid maven coordinate {}", dep.coord); + continue; + } + + String group = pieces[0]; + String artifact = pieces[1]; + String version; + String classifier = null; + if (pieces.length == 3) { + version = pieces[2]; + } else if (pieces.length == 4) { + classifier = pieces[2]; + version = pieces[3]; + } else { + // length == 5 as guaranteed above. + classifier = pieces[3]; + version = pieces[4]; + } + + if ("sources".equals(classifier)) { + LOGGER.debug("Skipping sources jar {}", dep.coord); + continue; + } + + final Dependency d = new Dependency(dependency.getActualFile(), true); + d.setEcosystem(Ecosystem.JAVA); + d.addEvidence(EvidenceType.VENDOR, "project", "groupid", group, Confidence.HIGHEST); + d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", artifact, Confidence.HIGHEST); + d.addEvidence(EvidenceType.VERSION, "project", "version", version, Confidence.HIGHEST); + d.setName(String.format("%s:%s", group, artifact)); + d.setFilePath(String.format("%s>>%s", dependency.getActualFile(), dep.coord)); + d.setFileName(dep.coord); + try { + final PackageURLBuilder purl = PackageURLBuilder.aPackageURL() + .withType(PackageURL.StandardTypes.MAVEN) + .withNamespace(group) + .withName(artifact) + .withVersion(version); + if (classifier != null) { + purl.withQualifier("classifier", classifier); + } + d.addSoftwareIdentifier(new PurlIdentifier(purl.build(), Confidence.HIGHEST)); + } catch (MalformedPackageURLException e) { + d.addSoftwareIdentifier(new GenericIdentifier("maven_install JSON coord " + dep.coord, Confidence.HIGH)); + } + d.setVersion(version); + engine.addDependency(d); + } + } + + @Override + protected void prepareFileTypeAnalyzer(Engine engine) { + // No initialization needed. + } + + /** + * Represents the entire pinned Maven dependency set in an install.json file. + * + *

At the time of writing, the latest version is 0.1.0, and the dependencies are stored in {@code .dependency_tree.dependencies[].coord}. + * + *

The only top-level key we care about is {@code .dependency_tree}. + */ + private static class InstallFile { + @JsonProperty("dependency_tree") + public DependencyTree dependencyTree; + } + + /** + * Represents the values at {@code .dependency_tree} in the {@link InstallFile install file}. + */ + private static class DependencyTree { + /** + * A sentinel value placed in the file to indicate that it is an auto-generated pinned maven install file. + */ + @JsonProperty("__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY") + public String autogeneratedSentinel; + + /** + * A list of Maven dependencies made available. Note that this list is transitively closed and pinned to a specific version of each artifact. + */ + @JsonProperty("dependencies") + public List dependencies; + + /** + * The file format version. + */ + @JsonProperty("version") + public String version; + } + + /** + * Represents a single dependency in the list at {@code .dependency_tree.dependencies}. + */ + private static class MavenDependency { + /** + * The standard Maven coordinate string {@code group:artifact[:optional classifier][:optional packaging]:version}. + */ + @JsonProperty("coord") + public String coord; + } + + /** + * A reusable reader for {@link InstallFile}. + */ + private static final ObjectReader INSTALL_FILE_READER; + + static { + ObjectMapper mapper = new ObjectMapper(); + mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + INSTALL_FILE_READER = mapper.readerFor(InstallFile.class); + } +} diff --git a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 65ac43b55ab..9f70c0ee7cc 100644 --- a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -42,3 +42,4 @@ org.owasp.dependencycheck.analyzer.SwiftPackageResolvedAnalyzer org.owasp.dependencycheck.analyzer.VersionFilterAnalyzer org.owasp.dependencycheck.analyzer.OssIndexAnalyzer org.owasp.dependencycheck.analyzer.PerlCpanfileAnalyzer +org.owasp.dependencycheck.analyzer.PinnedMavenInstallAnalyzer diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties index 3b233fcaa6b..4ea60acb863 100644 --- a/core/src/main/resources/dependencycheck.properties +++ b/core/src/main/resources/dependencycheck.properties @@ -129,6 +129,7 @@ analyzer.python.package.enabled=true analyzer.ruby.gemspec.enabled=true analyzer.bundle.audit.enabled=true analyzer.autoconf.enabled=true +analyzer.maveninstall.enabled=true analyzer.pip.enabled=true analyzer.pipfile.enabled=true analyzer.cmake.enabled=true diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java new file mode 100644 index 00000000000..5732bb7d39e --- /dev/null +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java @@ -0,0 +1,127 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2020 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.lang3.ArrayUtils; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseDBTestCase; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem; +import org.owasp.dependencycheck.dependency.Dependency; + +import java.io.File; + +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.Assert.*; + +/** + * Unit tests for {@link PinnedMavenInstallAnalyzer}. + */ +public class PinnedMavenInstallAnalyzerTest extends BaseDBTestCase { + + /** + * The analyzer to test. + */ + private PinnedMavenInstallAnalyzer analyzer; + + /** + * Correctly set up the analyzer for testing. + * + * @throws Exception thrown if there is a problem + */ + @Before + @Override + public void setUp() throws Exception { + super.setUp(); + analyzer = new PinnedMavenInstallAnalyzer(); + analyzer.initialize(getSettings()); + analyzer.setFilesMatched(true); + analyzer.prepare(null); + } + + /** + * Cleanup the analyzer's temp files, etc. + * + * @throws Exception thrown if there is a problem + */ + @After + @Override + public void tearDown() throws Exception { + analyzer.close(); + super.tearDown(); + } + + @Test + public void testGetName() { + assertEquals("Pinned Maven install Analyzer", analyzer.getName()); + } + + @Test + public void testSupportsFiles() { + assertTrue(analyzer.accept(new File("install_maven.json"))); + assertTrue(analyzer.accept(new File("maven_install.json"))); + assertTrue(analyzer.accept(new File("rules_jvm_external_install.json"))); + assertTrue(analyzer.accept(new File("pinned_install_gplonly.json"))); + assertFalse("should not accept Cloudflare install.json", analyzer.accept(new File("install.json"))); + assertFalse(analyzer.accept(new File("maven_install.txt"))); + assertFalse(analyzer.accept(new File("pinned.json"))); + assertFalse(analyzer.accept(new File("install.json.zip"))); + } + + /** + * Tests that the analyzer correctly pulls dependencies out of a pinned {@code maven_install.json}. + */ + @Test + public void testAnalyzePinnedInstallJson() throws Exception { + try (Engine engine = new Engine(getSettings())) { + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "maven_install.json")); + engine.addDependency(result); + analyzer.analyze(result, engine); + assertFalse(ArrayUtils.contains(engine.getDependencies(), result)); + assertEquals(10, engine.getDependencies().length); + boolean found = false; + for (Dependency d : engine.getDependencies()) { + if ("com.google.errorprone:error_prone_annotations".equals(d.getName())) { + found = true; + assertEquals("2.3.4", d.getVersion()); + assertEquals(Ecosystem.JAVA, d.getEcosystem()); + } + } + assertTrue("Expected to find com.google.errorprone:error_prone_annotations:2.3.4", found); + } + } + + /** + * Tests that the analyzer ignores a Cloudflare-style {@code install.json}. + */ + @Test + public void testAnalyzeOtherInstallJson() throws Exception { + try (Engine engine = new Engine(getSettings())) { + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "install.json")); + engine.addDependency(result); + analyzer.analyze(result, engine); + assertTrue(ArrayUtils.contains(engine.getDependencies(), result)); + assertEquals(1, engine.getDependencies().length); + } + } +} diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties index 72293950ce2..751c6706943 100644 --- a/core/src/test/resources/dependencycheck.properties +++ b/core/src/test/resources/dependencycheck.properties @@ -110,6 +110,7 @@ analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true analyzer.ruby.gemspec.enabled=true analyzer.autoconf.enabled=true +analyzer.maveninstall.enabled=true analyzer.pip.enabled=true analyzer.pipfile.enabled=true analyzer.cmake.enabled=true diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 586a077e8b5..154a0f6dde4 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -438,6 +438,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @SuppressWarnings("CanBeFinal") @Parameter(property = "autoconfAnalyzerEnabled") private Boolean autoconfAnalyzerEnabled; + /** + * Sets whether or not the Maven install Analyzer should be used. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "mavenInstallAnalyzerEnabled") + private Boolean mavenInstallAnalyzerEnabled; /** * Sets whether or not the pip Analyzer should be used. */ @@ -2095,6 +2101,7 @@ protected void populateSettings() { settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); + settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); diff --git a/src/test/resources/install.json b/src/test/resources/install.json new file mode 100644 index 00000000000..bc07b9f1c39 --- /dev/null +++ b/src/test/resources/install.json @@ -0,0 +1,15 @@ +{ + "$schema": "http://json.schemastore.org/install", + "resources": { + "head": [], + "body": [] + }, + "options": { + "properties": {} + }, + "preview": { + "handlers": [] + }, + "hooks": [], + "dns": [] +} \ No newline at end of file diff --git a/src/test/resources/maven_install.json b/src/test/resources/maven_install.json new file mode 100644 index 00000000000..d9ace0113c8 --- /dev/null +++ b/src/test/resources/maven_install.json @@ -0,0 +1,296 @@ +{ + "dependency_tree": { + "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", + "__INPUT_ARTIFACTS_HASH": -501192379, + "__RESOLVED_ARTIFACTS_HASH": -859727869, + "conflict_resolution": {}, + "dependencies": [ + { + "coord": "com.google.code.findbugs:jsr305:3.0.2", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" + ], + "sha256": "766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7", + "url": "https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" + }, + { + "coord": "com.google.code.findbugs:jsr305:jar:sources:3.0.2", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2-sources.jar" + ], + "sha256": "1c9e85e272d0708c6a591dc74828c71603053b48cc75ae83cce56912a2aa063b", + "url": "https://repo1.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2-sources.jar" + }, + { + "coord": "com.google.errorprone:error_prone_annotations:2.3.4", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4.jar" + ], + "sha256": "baf7d6ea97ce606c53e11b6854ba5f2ce7ef5c24dddf0afa18d1260bd25b002c", + "url": "https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4.jar" + }, + { + "coord": "com.google.errorprone:error_prone_annotations:jar:sources:2.3.4", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4-sources.jar" + ], + "sha256": "0b1011d1e2ea2eab35a545cffd1cff3877f131134c8020885e8eaf60a7d72f91", + "url": "https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.3.4/error_prone_annotations-2.3.4-sources.jar" + }, + { + "coord": "com.google.guava:failureaccess:1.0.1", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar" + ], + "sha256": "a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26", + "url": "https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar" + }, + { + "coord": "com.google.guava:failureaccess:jar:sources:1.0.1", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1-sources.jar" + ], + "sha256": "092346eebbb1657b51aa7485a246bf602bb464cc0b0e2e1c7e7201fadce1e98f", + "url": "https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1-sources.jar" + }, + { + "coord": "com.google.guava:guava-testlib:29.0-jre", + "dependencies": [ + "com.google.code.findbugs:jsr305:3.0.2", + "com.google.errorprone:error_prone_annotations:2.3.4", + "com.google.guava:failureaccess:1.0.1", + "com.google.guava:guava:29.0-jre", + "com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:1.3", + "junit:junit:4.13", + "org.checkerframework:checker-qual:2.11.1", + "org.hamcrest:hamcrest-core:1.3" + ], + "directDependencies": [ + "com.google.code.findbugs:jsr305:3.0.2", + "com.google.errorprone:error_prone_annotations:2.3.4", + "com.google.guava:guava:29.0-jre", + "com.google.j2objc:j2objc-annotations:1.3", + "junit:junit:4.13", + "org.checkerframework:checker-qual:2.11.1" + ], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre.jar" + ], + "sha256": "f15908de80ff261adde7823d1df599b7447de4863f7c521068ecf881cb1fc79b", + "url": "https://repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre.jar" + }, + { + "coord": "com.google.guava:guava-testlib:jar:sources:29.0-jre", + "dependencies": [ + "com.google.code.findbugs:jsr305:jar:sources:3.0.2", + "com.google.errorprone:error_prone_annotations:jar:sources:2.3.4", + "com.google.guava:failureaccess:jar:sources:1.0.1", + "com.google.guava:guava:jar:sources:29.0-jre", + "com.google.guava:listenablefuture:jar:sources:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:jar:sources:1.3", + "junit:junit:jar:sources:4.13", + "org.checkerframework:checker-qual:jar:sources:2.11.1", + "org.hamcrest:hamcrest-core:jar:sources:1.3" + ], + "directDependencies": [ + "com.google.code.findbugs:jsr305:jar:sources:3.0.2", + "com.google.errorprone:error_prone_annotations:jar:sources:2.3.4", + "com.google.guava:guava:jar:sources:29.0-jre", + "com.google.j2objc:j2objc-annotations:jar:sources:1.3", + "junit:junit:jar:sources:4.13", + "org.checkerframework:checker-qual:jar:sources:2.11.1" + ], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre-sources.jar" + ], + "sha256": "810a5ebff92f48af06e47ba3fb35c9ee38b777b5bf25eb2b1c99b595c53d0fe8", + "url": "https://repo1.maven.org/maven2/com/google/guava/guava-testlib/29.0-jre/guava-testlib-29.0-jre-sources.jar" + }, + { + "coord": "com.google.guava:guava:29.0-jre", + "dependencies": [ + "com.google.code.findbugs:jsr305:3.0.2", + "com.google.errorprone:error_prone_annotations:2.3.4", + "com.google.guava:failureaccess:1.0.1", + "com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:1.3", + "org.checkerframework:checker-qual:2.11.1" + ], + "directDependencies": [ + "com.google.code.findbugs:jsr305:3.0.2", + "com.google.errorprone:error_prone_annotations:2.3.4", + "com.google.guava:failureaccess:1.0.1", + "com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:1.3", + "org.checkerframework:checker-qual:2.11.1" + ], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar" + ], + "sha256": "b22c5fb66d61e7b9522531d04b2f915b5158e80aa0b40ee7282c8bfb07b0da25", + "url": "https://repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar" + }, + { + "coord": "com.google.guava:guava:jar:sources:29.0-jre", + "dependencies": [ + "com.google.code.findbugs:jsr305:jar:sources:3.0.2", + "com.google.errorprone:error_prone_annotations:jar:sources:2.3.4", + "com.google.guava:failureaccess:jar:sources:1.0.1", + "com.google.guava:listenablefuture:jar:sources:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:jar:sources:1.3", + "org.checkerframework:checker-qual:jar:sources:2.11.1" + ], + "directDependencies": [ + "com.google.code.findbugs:jsr305:jar:sources:3.0.2", + "com.google.errorprone:error_prone_annotations:jar:sources:2.3.4", + "com.google.guava:failureaccess:jar:sources:1.0.1", + "com.google.guava:listenablefuture:jar:sources:9999.0-empty-to-avoid-conflict-with-guava", + "com.google.j2objc:j2objc-annotations:jar:sources:1.3", + "org.checkerframework:checker-qual:jar:sources:2.11.1" + ], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre-sources.jar" + ], + "sha256": "cfcbe29dd5125f5b360370b4ecd7f7ef44fba68f4f037e90bce7315682afc0ea", + "url": "https://repo1.maven.org/maven2/com/google/guava/guava/29.0-jre/guava-29.0-jre-sources.jar" + }, + { + "coord": "com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" + ], + "sha256": "b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99", + "url": "https://repo1.maven.org/maven2/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" + }, + { + "coord": "com.google.guava:listenablefuture:jar:sources:9999.0-empty-to-avoid-conflict-with-guava", + "dependencies": [], + "directDependencies": [], + "file": null + }, + { + "coord": "com.google.j2objc:j2objc-annotations:1.3", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar" + ], + "sha256": "21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b", + "url": "https://repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar" + }, + { + "coord": "com.google.j2objc:j2objc-annotations:jar:sources:1.3", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3-sources.jar" + ], + "sha256": "ba4df669fec153fa4cd0ef8d02c6d3ef0702b7ac4cabe080facf3b6e490bb972", + "url": "https://repo1.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3-sources.jar" + }, + { + "coord": "junit:junit:4.13", + "dependencies": [ + "org.hamcrest:hamcrest-core:1.3" + ], + "directDependencies": [ + "org.hamcrest:hamcrest-core:1.3" + ], + "file": "v1/https/repo1.maven.org/maven2/junit/junit/4.13/junit-4.13.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/junit/junit/4.13/junit-4.13.jar" + ], + "sha256": "4b8532f63bdc0e0661507f947eb324a954d1dbac631ad19c8aa9a00feed1d863", + "url": "https://repo1.maven.org/maven2/junit/junit/4.13/junit-4.13.jar" + }, + { + "coord": "junit:junit:jar:sources:4.13", + "dependencies": [ + "org.hamcrest:hamcrest-core:jar:sources:1.3" + ], + "directDependencies": [ + "org.hamcrest:hamcrest-core:jar:sources:1.3" + ], + "file": "v1/https/repo1.maven.org/maven2/junit/junit/4.13/junit-4.13-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/junit/junit/4.13/junit-4.13-sources.jar" + ], + "sha256": "3d5451031736d4904582b211858a09eeefdb26eb08f0633ca8addf04fde3e0fc", + "url": "https://repo1.maven.org/maven2/junit/junit/4.13/junit-4.13-sources.jar" + }, + { + "coord": "org.checkerframework:checker-qual:2.11.1", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1.jar" + ], + "sha256": "015224a4b1dc6de6da053273d4da7d39cfea20e63038169fc45ac0d1dc9c5938", + "url": "https://repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1.jar" + }, + { + "coord": "org.checkerframework:checker-qual:jar:sources:2.11.1", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1-sources.jar" + ], + "sha256": "7d3b990687be9b980a9dc7853f4b0f279eb437e28efe3c9903acaf20450f55b5", + "url": "https://repo1.maven.org/maven2/org/checkerframework/checker-qual/2.11.1/checker-qual-2.11.1-sources.jar" + }, + { + "coord": "org.hamcrest:hamcrest-core:1.3", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar" + ], + "sha256": "66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9", + "url": "https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar" + }, + { + "coord": "org.hamcrest:hamcrest-core:jar:sources:1.3", + "dependencies": [], + "directDependencies": [], + "file": "v1/https/repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3-sources.jar", + "mirror_urls": [ + "https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3-sources.jar" + ], + "sha256": "e223d2d8fbafd66057a8848cc94222d63c3cedd652cc48eddc0ab5c39c0f84df", + "url": "https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3-sources.jar" + } + ], + "version": "0.1.0" + } +} diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index b57810d4ac2..51c4bb40e01 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -429,6 +429,10 @@ public static final class KEYS { * The properties key for whether the Autoconf analyzer is enabled. */ public static final String ANALYZER_AUTOCONF_ENABLED = "analyzer.autoconf.enabled"; + /** + * The properties key for whether the maven_install.json analyzer is enabled. + */ + public static final String ANALYZER_MAVEN_INSTALL_ENABLED = "analyzer.maveninstall.enabled"; /** * The properties key for whether the pip analyzer is enabled. */ From f7129f9fca531e33e466d5cc10562f5a969c6ebc Mon Sep 17 00:00:00 2001 From: Dan Halperin Date: Mon, 29 Aug 2022 09:53:14 -0700 Subject: [PATCH 2/2] Update core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java Co-authored-by: Jeremy Long --- .../dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java index b64f41ca3c7..33a57689441 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java @@ -167,7 +167,7 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An version = pieces[4]; } - if ("sources".equals(classifier)) { + if ("sources".equals(classifier) || "javadoc".equals(classifier)) { LOGGER.debug("Skipping sources jar {}", dep.coord); continue; }