Merge branch 'main' into develop

Author: bjk7119

.bumpversion.cfg

@@ -2,7 +2,7 @@
 commit = True
 tag = False
 message = Bump version: {current_version} → {new_version}
-current_version = 5.1.7
+current_version = 5.1.8
 
 [bumpversion:file:setup.py]
 search = '{current_version}'

.github/workflows/publish-release.yml

@@ -62,8 +62,8 @@ jobs:
             TARGET: ubuntu
             CMD_BUILD: >
                 pyinstaller --onefile cli.py -n cli --additional-hooks-dir=hooks --hidden-import=pkg_resources.extern --add-binary "LICENSE:LICENSES" --add-binary "LICENSES/LicenseRef-3rd_party_licenses.txt:LICENSES" &&
-                mv dist/cli fosslight_bin_ubuntu18
-            OUT_FILE_NAME: fosslight_bin_ubuntu18
+                mv dist/cli fosslight_bin_ubuntu
+            OUT_FILE_NAME: fosslight_bin_ubuntu
             ASSET_MIME: application/octet-stream
           - os: macos-latest
             TARGET: macos

.github/workflows/pull-request.yml

@@ -40,10 +40,10 @@ jobs:
         python-version: [3.12.x]
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.12
+    - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v4
       with:
-        python-version: '3.12.x'
+        python-version: ${{ matrix.python-version }}
     - name: Install & Run
       run: |
         python -m pip install --upgrade pip

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## v5.1.8 (17/07/2025)
+## Changes
+## 🐛 Hotfixes
+
+- Remove SQL injection vulnerability @bjk7119 (#150)
+
+## 🔧 Maintenance
+
+- Change the minimum Python version to 3.10 @bjk7119 (#151)
+- Remove the duplicated comment @bjk7119 (#146)
+- Fix workflow waring message @bjk7119 (#145)
+
+---
+
 ## v5.1.7 (25/05/2025)
 ## Changes
 ## 🔧 Maintenance
@@ -290,11 +304,3 @@
 ## 🔧 Maintenance
 
 - Modify not to generate binary.txt if no binaries @dd-jy (#76)
-
----
-
-## v4.1.13 (04/11/2022)
-## Changes
-## 🔧 Maintenance
-
-- Print license text through notice parameter @dd-jy (#75)

requirements.txt

@@ -2,7 +2,7 @@ binaryornot
 numpy
 pandas
 parmap
-psycopg2-binary==2.9.9
+psycopg2-binary
 python-dateutil
 py-tlsh
 pytz

setup.py

@@ -33,7 +33,7 @@
 
     setup(
         name=_PACKAEG_NAME,
-        version='5.1.7',
+        version='5.1.8',
         package_dir={"": "src"},
         packages=find_packages(where='src'),
         description='FOSSLight Binary Scanner',
@@ -45,10 +45,10 @@
         download_url='https://github.com/fosslight/fosslight_binary_scanner',
         classifiers=['License :: OSI Approved :: Apache Software License',
                      "Programming Language :: Python :: 3",
-                     "Programming Language :: Python :: 3.6",
-                     "Programming Language :: Python :: 3.7",
-                     "Programming Language :: Python :: 3.8",
-                     "Programming Language :: Python :: 3.9", ],
+                     "Programming Language :: Python :: 3.10",
+                     "Programming Language :: Python :: 3.11",
+                     "Programming Language :: Python :: 3.12"],
+        python_requires='>=3.10,<3.13',
         install_requires=install_requires,
         extras_require={
             ':sys_platform == "win32"': [

src/fosslight_binary/_binary_dao.py

@@ -89,22 +89,20 @@ def get_connection_string(dburl):
 def get_oss_info_by_tlsh_and_filename(file_name, checksum_value, tlsh_value):
     sql_statement = "SELECT filename,pathname,checksum,tlshchecksum,ossname,ossversion,\
                     license,platformname,platformversion FROM lgematching "
-    sql_statement_checksum = " WHERE filename='{fname}' AND checksum='{checksum}';".format(fname=file_name,
-                                                                                           checksum=checksum_value)  # Checking checksum first.
-    sql_statement_filename = "SELECT DISTINCT ON (tlshchecksum) tlshchecksum FROM lgematching WHERE filename='{fname}';".format(
-        fname=file_name)  # For getting tlsh values of file.
+    sql_statement_checksum = " WHERE filename=%s AND checksum=%s;"  # Using parameterized query
+    sql_statement_filename = "SELECT DISTINCT ON (tlshchecksum) tlshchecksum FROM lgematching WHERE filename=%s;"  # Using parameterized query
 
     final_result_item = ""
 
     df_result = get_list_by_using_query(
-        sql_statement + sql_statement_checksum, columns)
+        sql_statement + sql_statement_checksum, columns, (file_name, checksum_value))
     # Found a file with the same checksum.
     if df_result is not None and len(df_result) > 0:
         final_result_item = df_result
     else:
         # Match tlsh and fileName
         df_result = get_list_by_using_query(
-            sql_statement_filename, ['tlshchecksum'])
+            sql_statement_filename, ['tlshchecksum'], (file_name,))
         if df_result is None or len(df_result) <= 0:
             final_result_item = ""
         elif tlsh_value == TLSH_CHECKSUM_NULL:  # Couldn't get the tlsh of a file.
@@ -124,20 +122,25 @@ def get_oss_info_by_tlsh_and_filename(file_name, checksum_value, tlsh_value):
                     logger.warning(f"* (Minor) Error_tlsh_comparison: {ex}")
             if matched_tlsh != "":
                 final_result_item = get_list_by_using_query(
-                    sql_statement + " WHERE filename='{fname}' AND tlshchecksum='{tlsh}';".format(fname=file_name,
-                                                                                                  tlsh=matched_tlsh),
-                    columns)
+                    sql_statement + " WHERE filename=%s AND tlshchecksum=%s;", columns, (file_name, matched_tlsh))
 
     return final_result_item
 
 
-def get_list_by_using_query(sql_query, columns):
+def get_list_by_using_query(sql_query, columns, params=None):
     result_rows = ""  # DataFrame
-    cur.execute(sql_query)
-    rows = cur.fetchall()
+    try:
+        if params:
+            cur.execute(sql_query, params)
+        else:
+            cur.execute(sql_query)
+        rows = cur.fetchall()
 
-    if rows is not None and len(rows) > 0:
-        result_rows = pd.DataFrame(data=rows, columns=columns)
+        if rows is not None and len(rows) > 0:
+            result_rows = pd.DataFrame(data=rows, columns=columns)
+    except Exception as ex:
+        logger.error(f"Database query error: {ex}")
+        result_rows = ""
     return result_rows
 
 

src/fosslight_binary/_jar_analysis.py

@@ -270,20 +270,23 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
             # Get Vulnerability Info.
             vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)
 
-            if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "":
-                oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
-                oss.comment = "OWASP result"
-
-                if file_with_path in owasp_items:
-                    owasp_items[file_with_path]["oss_list"].append(oss)
-                    # Update sha1 if not already set or if current sha1 is empty
-                    if not owasp_items[file_with_path]["sha1"] and sha1:
-                        owasp_items[file_with_path]["sha1"] = sha1
-                else:
-                    owasp_items[file_with_path] = {
-                        "oss_list": [oss],
-                        "sha1": sha1
-                    }
+            if oss_name or oss_license or oss_dl_url:
+                oss_list_for_file = owasp_items.get(file_with_path, [])
+
+                existing_oss = None
+                for item in oss_list_for_file:
+                    if item.name == oss_name and item.version == oss_ver:
+                        existing_oss = item
+                        break
+
+                if not existing_oss:
+                    oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
+                    oss.comment = "OWASP result"
+
+                    if file_with_path in owasp_items:
+                        owasp_items[file_with_path].append(oss)
+                    else:
+                        owasp_items[file_with_path] = [oss]
     except Exception as ex:
         logger.debug(f"Error to get dependency Info in jar_contents: {ex}")