Add a PinnedMavenInstallAnalyzer

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -302,6 +302,10 @@ public class Check extends Update {
      * Whether the pip analyzer should be enabled.
      */
     private Boolean pipAnalyzerEnabled;
+    /**
+     * Whether the Maven install.json analyzer should be enabled.
+     */
+    private Boolean mavenInstallAnalyzerEnabled;
     /**
      * Whether the pipfile analyzer should be enabled.
      */
@@ -1986,6 +1990,7 @@ protected void populateSettings() throws BuildException {
         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -511,6 +511,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_PY_PKG, Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED,
                 !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_AUTOCONF, Settings.KEYS.ANALYZER_AUTOCONF_ENABLED));
+        settings.setBoolean(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED,
+                !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_MAVEN_INSTALL, Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_PIP_ENABLED,
                 !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_PIP, Settings.KEYS.ANALYZER_PIP_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_PIPFILE_ENABLED,

cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -1196,6 +1196,10 @@ public static class ARGUMENT {
          * Disables the Autoconf Analyzer.
          */
         public static final String DISABLE_AUTOCONF = "disableAutoconf";
+        /**
+         * Disables the Maven install Analyzer.
+         */
+        public static final String DISABLE_MAVEN_INSTALL = "disableMavenInstall";
         /**
          * Disables the pip Analyzer.
          */

cli/src/test/resources/sample.properties

@@ -9,6 +9,7 @@ analyzer.python.distribution.enabled=true
 analyzer.python.package.enabled=true
 analyzer.ruby.gemspec.enabled=true
 analyzer.autoconf.enabled=true
+analyzer.maveninstall.enabled=true
 analyzer.pip.enabled=true
 analyzer.pipfile.enabled=true
 analyzer.cmake.enabled=true

cli/src/test/resources/sample2.properties

@@ -9,6 +9,7 @@ analyzer.python.distribution.enabled=false
 analyzer.python.package.enabled=false
 analyzer.ruby.gemspec.enabled=false
 analyzer.autoconf.enabled=false
+analyzer.maveninstall.enabled=false
 analyzer.pip.enabled=false
 analyzer.pipfile.enabled=false
 analyzer.cmake.enabled=false

core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java

@@ -0,0 +1,262 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2020 The OWASP Foundation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectReader;
+import com.github.packageurl.MalformedPackageURLException;
+import com.github.packageurl.PackageURL;
+import com.github.packageurl.PackageURLBuilder;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
+import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.annotation.concurrent.ThreadSafe;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/**
+ * Used to analyze Maven pinned dependency files named {@code *install*.json}, a Java Maven dependency lockfile
+ * like Python's {@code requirements.txt}.
+ *
+ * @author dhalperi
+ * @see <a href="https://github.com/bazelbuild/rules_jvm_external#pinning-artifacts-and-integration-with-bazels-downloader">rules_jvm_external</a>
+ */
+@Experimental
+@ThreadSafe
+public class PinnedMavenInstallAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(PinnedMavenInstallAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Pinned Maven install Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * Pattern matching files with "install" in the basename and extension "json".
+     *
+     * <p>This regex is designed to explicitly skip files named {@code install.json} since those are used for
+     * Cloudflare installations and this will save on work.
+     */
+    private static final Pattern MAVEN_INSTALL_JSON_PATTERN = Pattern.compile("(.+install.*|.*install.+)\\.json");
+
+    /**
+     * Match any files that look like *install*.json.
+     */
+    private static final FileFilter FILTER = (File file) -> MAVEN_INSTALL_JSON_PATTERN.matcher(file.getName()).matches();
+
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED;
+    }
+
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.debug("Checking file {}", dependency.getActualFilePath());
+
+        final File dependencyFile = dependency.getActualFile();
+        if (!dependencyFile.isFile() || dependencyFile.length() == 0) {
+            return;
+        }
+
+        DependencyTree tree;
+        try {
+            InstallFile installFile = INSTALL_FILE_READER.readValue(dependencyFile);
+            tree = installFile.dependencyTree;
+        } catch (IOException e) {
+            return;
+        }
+
+        if (tree == null) {
+            return;
+        } else if (!Objects.equals(tree.autogeneratedSentinel, "THERE_IS_NO_DATA_ONLY_ZUUL")) {
+            return;
+        }
+
+        engine.removeDependency(dependency);
+
+        if (!Objects.equals(tree.version, "0.1.0")) {
+            LOGGER.warn("Unsupported pinned maven_install.json version {}. Continuing optimistically.", tree.version);
+        }
+
+        List<MavenDependency> deps = tree.dependencies;
+        if (deps == null) {
+            deps = Collections.emptyList();
+        }
+
+        for (MavenDependency dep : deps) {
+            if (dep.coord == null) {
+                LOGGER.warn("Unexpected null coordinate in {}", dependency.getActualFilePath());
+                continue;
+            }
+
+            LOGGER.debug("Analyzing {}", dep.coord);
+            String[] pieces = dep.coord.split(":");
+            if (pieces.length < 3 || pieces.length > 5) {
+                LOGGER.warn("Invalid maven coordinate {}", dep.coord);
+                continue;
+            }
+
+            String group = pieces[0];
+            String artifact = pieces[1];
+            String version;
+            String classifier = null;
+            if (pieces.length == 3) {
+                version = pieces[2];
+            } else if (pieces.length == 4) {
+                classifier = pieces[2];
+                version = pieces[3];
+            } else {
+                // length == 5 as guaranteed above.
+                classifier = pieces[3];
+                version = pieces[4];
+            }
+
+            if ("sources".equals(classifier) || "javadoc".equals(classifier)) {
+                LOGGER.debug("Skipping sources jar {}", dep.coord);
+                continue;
+            }
+
+            final Dependency d = new Dependency(dependency.getActualFile(), true);
+            d.setEcosystem(Ecosystem.JAVA);
+            d.addEvidence(EvidenceType.VENDOR, "project", "groupid", group, Confidence.HIGHEST);
+            d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", artifact, Confidence.HIGHEST);
+            d.addEvidence(EvidenceType.VERSION, "project", "version", version, Confidence.HIGHEST);
+            d.setName(String.format("%s:%s", group, artifact));
+            d.setFilePath(String.format("%s>>%s", dependency.getActualFile(), dep.coord));
+            d.setFileName(dep.coord);
+            try {
+                final PackageURLBuilder purl = PackageURLBuilder.aPackageURL()
+                        .withType(PackageURL.StandardTypes.MAVEN)
+                        .withNamespace(group)
+                        .withName(artifact)
+                        .withVersion(version);
+                if (classifier != null) {
+                    purl.withQualifier("classifier", classifier);
+                }
+                d.addSoftwareIdentifier(new PurlIdentifier(purl.build(), Confidence.HIGHEST));
+            } catch (MalformedPackageURLException e) {
+                d.addSoftwareIdentifier(new GenericIdentifier("maven_install JSON coord " + dep.coord, Confidence.HIGH));
+            }
+            d.setVersion(version);
+            engine.addDependency(d);
+        }
+    }
+
+    @Override
+    protected void prepareFileTypeAnalyzer(Engine engine) {
+        // No initialization needed.
+    }
+
+    /**
+     * Represents the entire pinned Maven dependency set in an install.json file.
+     *
+     * <p>At the time of writing, the latest version is 0.1.0, and the dependencies are stored in {@code .dependency_tree.dependencies[].coord}.
+     *
+     * <p>The only top-level key we care about is {@code .dependency_tree}.
+     */
+    private static class InstallFile {
+        @JsonProperty("dependency_tree")
+        public DependencyTree dependencyTree;
+    }
+
+    /**
+     * Represents the values at {@code .dependency_tree} in the {@link InstallFile install file}.
+     */
+    private static class DependencyTree {
+        /**
+         * A sentinel value placed in the file to indicate that it is an auto-generated pinned maven install file.
+         */
+        @JsonProperty("__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY")
+        public String autogeneratedSentinel;
+
+        /**
+         * A list of Maven dependencies made available. Note that this list is transitively closed and pinned to a specific version of each artifact.
+         */
+        @JsonProperty("dependencies")
+        public List<MavenDependency> dependencies;
+
+        /**
+         * The file format version.
+         */
+        @JsonProperty("version")
+        public String version;
+    }
+
+    /**
+     * Represents a single dependency in the list at {@code .dependency_tree.dependencies}.
+     */
+    private static class MavenDependency {
+        /**
+         * The standard Maven coordinate string {@code group:artifact[:optional classifier][:optional packaging]:version}.
+         */
+        @JsonProperty("coord")
+        public String coord;
+    }
+
+    /**
+     * A reusable reader for {@link InstallFile}.
+     */
+    private static final ObjectReader INSTALL_FILE_READER;
+
+    static {
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+        INSTALL_FILE_READER = mapper.readerFor(InstallFile.class);
+    }
+}

core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -42,3 +42,4 @@ org.owasp.dependencycheck.analyzer.SwiftPackageResolvedAnalyzer
 org.owasp.dependencycheck.analyzer.VersionFilterAnalyzer
 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer
 org.owasp.dependencycheck.analyzer.PerlCpanfileAnalyzer
+org.owasp.dependencycheck.analyzer.PinnedMavenInstallAnalyzer

core/src/main/resources/dependencycheck.properties

@@ -129,6 +129,7 @@ analyzer.python.package.enabled=true
 analyzer.ruby.gemspec.enabled=true
 analyzer.bundle.audit.enabled=true
 analyzer.autoconf.enabled=true
+analyzer.maveninstall.enabled=true
 analyzer.pip.enabled=true
 analyzer.pipfile.enabled=true
 analyzer.cmake.enabled=true