Skip to content

Copy OSS info if checksum matches #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Copy OSS info if checksum matches #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions src/fosslight_binary/_binary.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
EXCLUDE_TRUE_VALUE = "Exclude"
TLSH_CHECKSUM_NULL = "0"
MAX_EXCEL_URL_LENGTH = 255
EXCEEDED_VUL_URL_LENGTH_COMMENT = f"Exceeded the maximum vulnerability URL length of {MAX_EXCEL_URL_LENGTH} characters."

logger = logging.getLogger(constant.LOGGER_NAME)

Expand Down Expand Up @@ -54,12 +55,10 @@ def get_vulnerability_items(self, oss):
nvd_url = ", ".join(nvd_url).strip()

if nvd_url and len(nvd_url) > MAX_EXCEL_URL_LENGTH:
oss.comment = f"Exceeded the maximum vulnerability URL length of {MAX_EXCEL_URL_LENGTH} characters."
if EXCEEDED_VUL_URL_LENGTH_COMMENT not in oss.comment:
oss.comment = EXCEEDED_VUL_URL_LENGTH_COMMENT
Copy link
Contributor

@soimkim soimkim Jul 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bjk7119 , 이 방법보다 중복으로 찍히는 로직을 확인하는 것을 제안드립니다.
재현이 불가하셔서 로직 내 중복 원인이 확인되지 않는 상태인가요?

return nvd_url

def get_print_binary_only(self):
return (self.source_name_or_path + "\t" + self.checksum + "\t" + self.tlsh)

def get_print_array(self):
items = []
if self.oss_items:
Expand Down
59 changes: 40 additions & 19 deletions src/fosslight_binary/_jar_analysis.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,34 @@ def get_oss_lic_in_jar(data):
return license


def copy_oss_info_by_checksum(bin_list):
checksum_groups = {}

for bin in bin_list:
if bin.checksum and bin.checksum != "":
if bin.checksum not in checksum_groups:
checksum_groups[bin.checksum] = []
checksum_groups[bin.checksum].append(bin)

for checksum, bins in checksum_groups.items():
if len(bins) > 1:
dup_bin = None
for bin in bins:
if bin.oss_items and len(bin.oss_items) > 0:
dup_bin = bin
Copy link
Contributor

@soimkim soimkim Jul 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

이렇게 세팅하면 Binary DB을 load한 binary인지, OWASP에서 값을 읽어온 binary인지 구분이 되나요?
그리고 OWASP에서 값을 읽어온 binary의 값을 copy시, Comment 도 "OWASP result"로 바뀌는 것인지 문의드립니다. (코드 상으로는 안 바뀔 것 같아서요)

break

if dup_bin:
for bin in bins:
if bin != dup_bin and (not bin.oss_items or len(bin.oss_items) == 0):
bin.set_oss_items(dup_bin.oss_items)
bin.found_in_owasp = dup_bin.found_in_owasp
if dup_bin.vulnerability_items:
bin.vulnerability_items.extend(dup_bin.vulnerability_items)
logger.debug(f"Copied OSS info from {dup_bin.source_name_or_path} to {bin.source_name_or_path} (checksum: {checksum})")
return bin_list


def merge_binary_list(owasp_items, vulnerability_items, bin_list):
not_found_bin = []

Expand All @@ -83,6 +111,7 @@ def merge_binary_list(owasp_items, vulnerability_items, bin_list):
not_found_bin.append(bin_item)

bin_list += not_found_bin
bin_list = copy_oss_info_by_checksum(bin_list)
return bin_list


Expand Down Expand Up @@ -166,6 +195,7 @@ def get_oss_info_from_pkg_info(pkg_info):


def analyze_jar_file(path_to_find_bin, path_to_exclude):
remove_owasp_item = []
owasp_items = {}
remove_vulnerability_items = []
vulnerability_items = {}
Expand All @@ -192,7 +222,8 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
success = False
return owasp_items, vulnerability_items, success

dependencies = jar_contents.get("dependencies")
dependencies = jar_contents.get("dependencies", [])

try:
for val in dependencies:
bin_with_path = ""
Expand Down Expand Up @@ -260,30 +291,20 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)

if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "":
oss_list_for_file = owasp_items.get(file_with_path, [])

existing_oss = None
for item in oss_list_for_file:
if item.name == oss_name and item.version == oss_ver:
existing_oss = item
break

if not existing_oss:
oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
oss.comment = "OWASP result"
oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
oss.comment = "OWASP result"

if file_with_path in owasp_items:
owasp_items[file_with_path].append(oss)
else:
owasp_items[file_with_path] = [oss]
remove_owasp_item = owasp_items.get(file_with_path)
if remove_owasp_item:
remove_owasp_item.append(oss)
else:
owasp_items[file_with_path] = [oss]
except Exception as ex:
logger.debug(f"Error to get depency Info in jar_contets: {ex}")
success = False
logger.debug(f"Error to get dependency Info in jar_contents: {ex}")

try:
if os.path.isfile(json_file):
os.remove(json_file)
except Exception as ex:
logger.debug(f"Error - There is no .json file : {ex}")

return owasp_items, vulnerability_items, success