Merge pull request #24 from fosslight/develop

Apply OWASP dependency-check to analyze jar file

Author: soimkim

.reuse/dep5

@@ -34,6 +34,10 @@ Files: tests/askalono_macos
 Copyright: 2018 Amazon.com, Inc. or its affiliates.
 License: Apache-2.0
 
+Files: tests/error_prone_annotations-2.7.1.jar
+Copyright: 2015 The Error Prone Authors.
+License: Apache-2.0
+
 Files: tests/test/askalono_macos
 Copyright: 2018 Amazon.com, Inc. or its affiliates.
 License: Apache-2.0

requirements.txt

@@ -8,4 +8,5 @@ py-tlsh
 pytz
 XlsxWriter
 PyYAML
-fosslight_util>=1.3.4
+fosslight_util>=1.3.8
+dependency-check

src/fosslight_binary/_binary.py

@@ -14,11 +14,26 @@ class OssItem:
     name = ""
     version = ""
     license = ""
+    dl_url = ""
+    comment = ""
+    exclude = False
 
-    def __init__(self, name, version, license):
+    def __init__(self, name, version, license, dl_url=""):
         self.name = name
         self.version = version
         self.license = license
+        self.dl_url = dl_url
+        self.exclude = False
+        self.comment = ""
+
+    def set_comment(self, value):
+        self.comment += value
+
+    def set_exclude(self, value):
+        self.exclude = value
+
+    def get_comment(self):
+        return self.comment
 
 
 class BinaryItem:
@@ -28,10 +43,12 @@ class BinaryItem:
     tlsh = _TLSH_CHECKSUM_NULL
     checksum = _TLSH_CHECKSUM_NULL
     oss_items = []
-    exclude = ""
+    exclude = False
+    comment = ""
+    found_in_db = False
 
     def __init__(self, value):
-        self.exclude = ""
+        self.exclude = False
         self.binary_strip_root = ""
         self.checksum = _TLSH_CHECKSUM_NULL
         self.tlsh = _TLSH_CHECKSUM_NULL
@@ -42,33 +59,46 @@ def __init__(self, value):
     def __del__(self):
         pass
 
-    def set_oss_items(self, value):
-        self.oss_items.append(value)
+    def set_oss_items(self, new_oss_list, exclude_old=False, exclude_msg=""):
+        if exclude_old:
+            for old_oss in self.oss_items:
+                old_oss.set_exclude(True)
+                old_oss.set_comment(exclude_msg)
+        # Append New input OSS
+        self.oss_items.extend(new_oss_list)
+
+    def set_commnet(self, value):
+        self.comment = value
 
     def set_bin_name(self, value):
         self.bin_name = value
 
     def set_exclude(self, value):
-        self.exclude = _EXCLUDE_TRUE_VALUE if value else ""
+        self.exclude = value
 
     def set_checksum(self, value):
         self.checksum = value
 
     def set_tlsh(self, value):
         self.tlsh = value
 
+    def get_comment(self):
+        return self.comment
+
     def get_print_binary_only(self):
         return (self.binary_strip_root + "\t" + self.checksum + "\t" + self.tlsh)
 
-    def get_print_oss_report(self):
+    def get_oss_report(self):
         print_rows = []
         if len(self.oss_items) > 0:
             for oss in self.oss_items:
+                exclude = _EXCLUDE_TRUE_VALUE if (self.exclude or oss.exclude) else ""
                 print_rows.append([self.binary_strip_root, oss.name, oss.version,
-                                   oss.license, '', '', '', self.exclude, ''])
+                                   oss.license, oss.dl_url, '', '', exclude, oss.comment])
         else:
+            exclude = _EXCLUDE_TRUE_VALUE if self.exclude else ""
             print_rows.append([self.binary_strip_root, '',
-                               '', '', '', '', '', self.exclude, ''])
+                               '', '', '', '', '', exclude, ''])
 
         return print_rows
 

src/fosslight_binary/_binary_dao.py

@@ -26,6 +26,7 @@ def get_oss_info_from_db(bin_info_list, dburl=""):
 
     if conn != "" and cur != "":
         for item in bin_info_list:
+            bin_oss_items = []
             tlsh_value = item.tlsh
             checksum_value = item.checksum
             bin_file_name = item.binary_name_without_path
@@ -37,8 +38,12 @@ def get_oss_info_from_db(bin_info_list, dburl=""):
                 for idx, row in df_result.iterrows():
                     oss_from_db = OssItem(
                         row['ossname'], row['ossversion'], row['license'])
-                    item.set_oss_items(oss_from_db)
+                    oss_from_db.set_comment("Binary DB Result")
+                    bin_oss_items.append(oss_from_db)
 
+                if bin_oss_items:
+                    item.found_in_db = True
+                    item.set_oss_items(bin_oss_items, True, "Excluded due to Binary DB.")
     disconnect_lge_bin_db()
     return bin_info_list, _cnt_auto_identified
 

src/fosslight_binary/_help.py

@@ -15,6 +15,7 @@
 
     Options:
         -h\t\t\t\t    Print help message
+        -v\t\t\t\t    Print FOSSLight Binary Scanner version
         -a <target_architecture>\t    Target Architecture(x86-64, ARM, MIPS, Mach-O, and etc.)
         -o <output_path>\t\t    Output path
         \t\t\t\t    (If you want to generate the specific file name, add the output path with file name.)

src/fosslight_binary/_jar_analysis.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2022 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+import logging
+import json
+import os
+import subprocess
+import fosslight_util.constant as constant
+from ._binary import BinaryItem, OssItem
+
+
+logger = logging.getLogger(constant.LOGGER_NAME)
+
+
+def get_oss_ver(version):
+    oss_version = ""
+
+    if version['source'] == 'pom':
+        if version['name'] == 'version':
+            oss_version = version['value']
+
+    return oss_version
+
+
+def get_oss_lic_in_jar(data):
+    license = ""
+    license_raw = str(data.get("license"))
+    split_lic = license_raw.split(':')[0]
+
+    # Not NoneType but string 'None'
+    if license_raw == "None":
+        license = ""
+    else:
+        if not split_lic.startswith('http'):
+            license = split_lic.replace(',', '')
+        else:
+            license = license_raw
+
+    return license
+
+
+def merge_binary_list(owasp_items, bin_list):
+    not_found_bin = []
+
+    # key : file_path / value : oss_list for one binary
+    for key, value in owasp_items.items():
+        found = False
+        for bin in bin_list:
+            if bin.binary_strip_root == key:
+                bin.set_oss_items(value, False)
+                found = True
+                break
+
+        if not found:
+            bin_item = BinaryItem(os.path.abspath(key))
+            bin_item.binary_name_without_path = os.path.basename(key)
+            bin_item.binary_strip_root = key
+            bin_item.set_oss_items(value)
+            not_found_bin.append(bin_item)
+
+    bin_list += not_found_bin
+    return bin_list
+
+
+def ananlyze_jar_file(path_to_find_bin):
+    remove_owasp_item = []
+    owasp_items = {}
+
+    try:
+        command = f"dependency-check --scan {path_to_find_bin} --out {path_to_find_bin} --disableArchive --disableAssembly --disableRetireJS --disableNodeJS \
+                  --disableNodeAudit --disableNugetconf --disableNuspec --disableOpenSSL --disableOssIndex --disableBundleAudit -f ALL"
+        subprocess.run(command, shell=True)
+
+        json_file = os.path.join(path_to_find_bin, 'dependency-check-report.json')
+
+        try:
+            with open(json_file, 'r') as f:
+                jar_contents = json.load(f)
+
+            dependencies = jar_contents.get("dependencies")
+            for val in dependencies:
+                bin_with_path = ""
+                oss_name = ""
+                oss_ver = ""
+                oss_artifactid = ""
+                oss_groupid = ""
+                oss_dl_url = ""
+                oss_license = get_oss_lic_in_jar(val)
+                get_oss_info = False
+
+                all_evidence = val.get("evidenceCollected")
+                vendor_evidences = all_evidence.get('vendorEvidence')
+                product_evidences = all_evidence.get('productEvidence')
+                version_evidences = all_evidence.get('versionEvidence')
+
+                # Check if the file is .jar file
+                # Even if the oss info is from pom.xml in jar file, the file name will be .jar file.
+                # But the oss info from pom.xml could be different from .jar file.
+                bin_with_path = val.get("filePath")
+                if not bin_with_path.endswith('.jar'):
+                    bin_with_path = bin_with_path.split('.jar')[0] + '.jar'
+
+                file_with_path = os.path.relpath(bin_with_path, path_to_find_bin)
+                # Get Version info from versionEvidence
+                for version_info in version_evidences:
+                    oss_ver = get_oss_ver(version_info)
+
+                # Get Artifact ID, Group ID, OSS Name from vendorEvidence
+                for vendor_info in vendor_evidences:
+                    # Get OSS Info from POM
+                    if vendor_info['source'] == 'pom':
+                        if vendor_info['name'] == 'artifactid':
+                            oss_artifactid = vendor_info['value']
+                        if vendor_info['name'] == 'groupid':
+                            oss_groupid = vendor_info['value']
+                        if vendor_info['name'] == 'url':
+                            oss_dl_url = vendor_info['value']
+                        if oss_artifactid != "" and oss_groupid != "":
+                            oss_name = f"{oss_groupid}:{oss_artifactid}"
+
+                # Check if get oss_name and version from pom
+                if oss_name != "" and oss_ver != "":
+                    get_oss_info = True
+
+                # If there is no pom.mxl in .jar file, get oss info from MANIFEST.MF file
+                if get_oss_info is False:
+                    for product_info in product_evidences:
+                        if product_info['source'] == 'Manifest':
+                            if oss_name == "" and (product_info['name'] == 'Implementation-Title' or product_info['name'] == 'specification-title'):
+                                oss_name = product_info['value']
+                            if oss_ver == "" and (product_info['name'] == 'Implementation-Version' or product_info['name'] == 'Bundle-Version'):
+                                oss_ver = product_info['value']
+
+                oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
+                oss.set_comment("OWASP Result. ")
+
+                remove_owasp_item = owasp_items.get(file_with_path)
+                if remove_owasp_item:
+                    remove_owasp_item.append(oss)
+                else:
+                    owasp_items[file_with_path] = [oss]
+
+        except Exception as ex:
+            logger.warning(f"Error to read json file : {ex}")
+    except Exception as ex:
+        logger.warning(f"Error to use dependency-check : {ex}")
+
+    return owasp_items