Merge pull request #30 from fosslight/dev2

Add vulnerability  column for jar file analysis result

Author: bjk7119

requirements.txt

@@ -8,5 +8,5 @@ py-tlsh
 pytz
 XlsxWriter
 PyYAML
-fosslight_util>=1.3.8
+fosslight_util>=1.3.11
 dependency-check

src/fosslight_binary/_binary.py

@@ -36,13 +36,25 @@ def get_comment(self):
         return self.comment
 
 
+class VulnerabilityItem:
+    file_path = ""
+    vul_id = ""
+    nvd_url = ""
+
+    def __init__(self, file_path, id, url):
+        self.file_path = file_path
+        self.vul_id = id
+        self.nvd_url = url
+
+
 class BinaryItem:
     bin_name = ""
     binary_name_without_path = ""
     binary_strip_root = ""  # Value of binary name column
     tlsh = _TLSH_CHECKSUM_NULL
     checksum = _TLSH_CHECKSUM_NULL
     oss_items = []
+    vulnerability_items = []
     exclude = False
     comment = ""
     found_in_db = False
@@ -53,6 +65,7 @@ def __init__(self, value):
         self.checksum = _TLSH_CHECKSUM_NULL
         self.tlsh = _TLSH_CHECKSUM_NULL
         self.oss_items = []
+        self.vulnerability_items = []
         self.binary_name_without_path = ""
         self.set_bin_name(value)
 
@@ -67,6 +80,14 @@ def set_oss_items(self, new_oss_list, exclude_old=False, exclude_msg=""):
         # Append New input OSS
         self.oss_items.extend(new_oss_list)
 
+    def set_vulnerability_items(self, vul_list):
+        if vul_list is not None:
+            self.vulnerability_items.extend(vul_list)
+
+    def get_vulnerability_items(self):
+        nvd_url = [vul_item.nvd_url for vul_item in self.vulnerability_items]
+        return ", ".join(nvd_url)
+
     def set_commnet(self, value):
         self.comment = value
 
@@ -93,8 +114,9 @@ def get_oss_report(self):
         if len(self.oss_items) > 0:
             for oss in self.oss_items:
                 exclude = _EXCLUDE_TRUE_VALUE if (self.exclude or oss.exclude) else ""
+                nvd_url = self.get_vulnerability_items()
                 print_rows.append([self.binary_strip_root, oss.name, oss.version,
-                                   oss.license, oss.dl_url, '', '', exclude, oss.comment])
+                                   oss.license, oss.dl_url, '', '', exclude, oss.comment, nvd_url])
         else:
             exclude = _EXCLUDE_TRUE_VALUE if self.exclude else ""
             print_rows.append([self.binary_strip_root, '',

src/fosslight_binary/_jar_analysis.py

@@ -8,7 +8,7 @@
 import os
 import subprocess
 import fosslight_util.constant as constant
-from ._binary import BinaryItem, OssItem
+from ._binary import BinaryItem, OssItem, VulnerabilityItem
 
 
 logger = logging.getLogger(constant.LOGGER_NAME)
@@ -41,7 +41,7 @@ def get_oss_lic_in_jar(data):
     return license
 
 
-def merge_binary_list(owasp_items, bin_list):
+def merge_binary_list(owasp_items, vulnerability_items, bin_list):
     not_found_bin = []
 
     # key : file_path / value : oss_list for one binary
@@ -50,6 +50,8 @@ def merge_binary_list(owasp_items, bin_list):
         for bin in bin_list:
             if bin.binary_strip_root == key:
                 bin.set_oss_items(value, False)
+                if vulnerability_items is not None:
+                    bin.set_vulnerability_items(vulnerability_items.get(key))
                 found = True
                 break
 
@@ -64,9 +66,36 @@ def merge_binary_list(owasp_items, bin_list):
     return bin_list
 
 
+def get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items):
+    if vulnerability is not None:
+        try:
+            for vul_info in vulnerability:
+                vul_id = ""
+                nvd_url = ""
+                for key, val in vul_info.items():
+                    if key == 'id':
+                        vul_id = val
+                    elif key == 'url':
+                        nvd_url = val
+
+                vul_item = VulnerabilityItem(file_with_path, vul_id, nvd_url)
+
+                remove_vulnerability_items = vulnerability_items.get(file_with_path)
+                if remove_vulnerability_items:
+                    remove_vulnerability_items.append(vul_item)
+                else:
+                    vulnerability_items[file_with_path] = [vul_item]
+        except Exception as ex:
+            logger.info(f"Error to get vul_id and nvd_url: {ex}")
+
+    return vulnerability_items
+
+
 def ananlyze_jar_file(path_to_find_bin):
     remove_owasp_item = []
     owasp_items = {}
+    remove_vulnerability_items = []
+    vulnerability_items = {}
 
     try:
         command = f"dependency-check --scan {path_to_find_bin} --out {path_to_find_bin} --disableArchive --disableAssembly --disableRetireJS --disableNodeJS \
@@ -91,6 +120,7 @@ def ananlyze_jar_file(path_to_find_bin):
                 get_oss_info = False
 
                 all_evidence = val.get("evidenceCollected")
+                vulnerability = val.get("vulnerabilityIds")
                 vendor_evidences = all_evidence.get('vendorEvidence')
                 product_evidences = all_evidence.get('productEvidence')
                 version_evidences = all_evidence.get('versionEvidence')
@@ -133,6 +163,12 @@ def ananlyze_jar_file(path_to_find_bin):
                             if oss_ver == "" and (product_info['name'] == 'Implementation-Version' or product_info['name'] == 'Bundle-Version'):
                                 oss_ver = product_info['value']
 
+                # Get Vulnerability Info.
+                try:
+                    vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)
+                except Exception as ex:
+                    logger.info(f"Error to get vulnerability Info. : {ex}")
+
                 if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "":
                     oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
                     oss.set_comment("OWASP Result. ")
@@ -148,4 +184,4 @@ def ananlyze_jar_file(path_to_find_bin):
     except Exception as ex:
         logger.warning(f"Error to use dependency-check : {ex}")
 
-    return owasp_items
+    return owasp_items, vulnerability_items

src/fosslight_binary/binary_analysis.py

@@ -40,6 +40,12 @@
 _root_path = ""
 _start_time = ""
 windows = False
+extended_header = {}
+
+JAR_VUL_HEADER = {'BIN_FL_Binary': ['ID', 'Source Name or Path', 'OSS Name',
+                                    'OSS Version', 'License', 'Download Location',
+                                    'Homepage', 'Copyright Text', 'Exclude',
+                                    'Comment', 'Vulnerability Link']}
 
 
 def init(path_to_find_bin, output_file_name, format):
@@ -145,9 +151,10 @@ def find_binaries(path_to_find_bin, output_dir, format, dburl=""):
         # Run OWASP Dependency-check
         if found_jar:
             logger.info("Run OWASP Dependency-check to analyze .jar file")
-            owasp_items = ananlyze_jar_file(path_to_find_bin)
+            owasp_items, vulnerability_items = ananlyze_jar_file(path_to_find_bin)
             if owasp_items:
-                return_list = merge_binary_list(owasp_items, return_list)
+                return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
+            extended_header = JAR_VUL_HEADER
 
         return_list, db_loaded_cnt = get_oss_info_from_db(return_list, dburl)
         return_list = sorted(return_list, key=lambda row: (row.bin_name))
@@ -167,8 +174,7 @@ def find_binaries(path_to_find_bin, output_dir, format, dburl=""):
             content_list.extend(scan_item.get_oss_report())
         sheet_list["BIN_FL_Binary"] = content_list
 
-        success_to_write, writing_msg = write_output_file(result_report, output_extension,
-                                                          sheet_list)
+        success_to_write, writing_msg = write_output_file(result_report, output_extension, sheet_list, extended_header)
     except Exception as ex:
         error_occured(error_msg=str(ex), exit=False)