github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 23:33:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial checkin of ComposerLockAnalyzer

Browse Source
This commit is contained in:
Will Stranathan
2015-09-05 12:57:07 -04:00
parent b5a070b228
commit 6a7a868b71
14 changed files with 2395 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java Normal file
View File

@@ -0,0 +1,161 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.composer.ComposerDependency;
import org.owasp.dependencycheck.data.composer.ComposerException;
import org.owasp.dependencycheck.data.composer.ComposerLockParser;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.nio.charset.Charset;
import java.security.MessageDigest;
/**
* Used to analyze a composer.lock file for a composer PHP app.
*
* @author colezlaw
*/
public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The logger
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
/**
* The analyzer name
*/
private static final String ANALYZER_NAME = "Composer.lock analyzer";
/**
* composer.json
*/
private static final String COMPOSER_LOCK = "composer.lock";
/**
* The FileFilter
*/
private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
/**
* Returns the FileFilter
*
* @return the FileFilter
*/
@Override
protected FileFilter getFileFilter() {
return FILE_FILTER;
}
/**
* Initializes the analyzer
*
* @throws Exception
*/
@Override
protected void initializeFileTypeAnalyzer() throws Exception {
sha1 = MessageDigest.getInstance("SHA1");
}
/**
* The MessageDigest for calculating a new digest for the new dependencies added
*/
private MessageDigest sha1 = null;
/**
* Entry point for the analyzer.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @throws AnalysisException if there's a failure during analysis
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
FileInputStream fis = null;
try {
fis = new FileInputStream(dependency.getActualFile());
final ComposerLockParser clp = new ComposerLockParser(fis);
LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
clp.process();
for (ComposerDependency dep : clp.getDependencies()) {
final Dependency d = new Dependency(dependency.getActualFile());
d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
d.setFilePath(filePath);
d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
LOGGER.info("Adding dependency {}", d);
engine.getDependencies().add(d);
}
} catch (FileNotFoundException fnfe) {
LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
} catch (ComposerException ce) {
LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
} finally {
if (fis != null) {
try {
fis.close();
} catch (Exception e) {
LOGGER.debug("Unable to close file", e);
}
}
}
}
/**
* Gets the key to determine whether the analyzer is enabled.
*
* @return the key specifying whether the analyzer is enabled
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED;
}
/**
* Returns the analyzer's name.
*
* @return the analyzer's name
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns the phase this analyzer should run under.
*
* @return the analysis phase
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return AnalysisPhase.INFORMATION_COLLECTION;
}
}

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -104,6 +104,21 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
"spring-security-core",
Confidence.HIGH);
final Evidence symfony = new Evidence("composer.lock",
"vendor",
"symfony",
Confidence.HIGHEST);
final Evidence zendframeworkVendor = new Evidence("composer.lock",
"vendor",
"zendframework",
Confidence.HIGHEST);
final Evidence zendframeworkProduct = new Evidence("composer.lock",
"product",
"zendframework",
Confidence.HIGHEST);
//springsource/vware problem
final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
@@ -128,6 +143,18 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
}
if (vendor.contains(symfony)) {
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
}
if (vendor.contains(zendframeworkVendor)) {
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
}
if (product.contains(zendframeworkProduct)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
}
//sun/oracle problem
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
final List<Evidence> newEntries = new ArrayList<Evidence>();

103
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java Normal file
View File

@@ -0,0 +1,103 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.composer;
/**
* Reperesents a dependency (GAV, right now) from a Composer dependency.
*
* @author colezlaw
*/
public final class ComposerDependency {
/** The group */
private final String group;
/** The project */
private final String project;
/** The version */
private final String version;
/**
* Create a ComposerDependency from group, project, and version.
*
* @param group the group
* @param project the project
* @param version the version
*/
public ComposerDependency(String group, String project, String version) {
this.group = group;
this.project = project;
this.version = version;
}
/**
* Get the group.
*
* @return the group
*/
public String getGroup() {
return group;
}
/**
* Get the project.
*
* @return the project
*/
public String getProject() {
return project;
}
/**
* Get the version.
*
* @return the version
*/
public String getVersion() {
return version;
}
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof ComposerDependency)) {
return false;
}
final ComposerDependency that = (ComposerDependency) o;
if (group != null ? !group.equals(that.group) : that.group != null) {
return false;
}
if (project != null ? !project.equals(that.project) : that.project != null) {
return false;
}
return !(version != null ? !version.equals(that.version) : that.version != null);
}
@Override
public int hashCode() {
int result = group != null ? group.hashCode() : 0;
result = 31 * result + (project != null ? project.hashCode() : 0);
result = 31 * result + (version != null ? version.hashCode() : 0);
return result;
}
}

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java Normal file
View File

@@ -0,0 +1,52 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.composer;
/**
* Represents an exception when handling a composer.json or composer.lock
* file. Generally used to wrap a downstream exception.
*
* @author colezlaw
*/
public class ComposerException extends RuntimeException {
/**
* Creates a ComposerException with default message.
*/
public ComposerException() {
super();
}
/**
* Creates a ComposerException with the specified message.
*
* @param message the exception message
*/
public ComposerException(String message) {
super(message);
}
/**
* Creates a Composer exception with the specified message and cause.
*
* @param message the message
* @param cause the underlying cause
*/
public ComposerException(String message, Throwable cause) {
super(message, cause);
}
}

115
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java Normal file
View File

@@ -0,0 +1,115 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.composer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.stream.JsonParsingException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
/**
* Parses a Composer.lock file from an input stream. In a separate class so it can hopefully be injected.
*
* @author colezlaw
*/
public class ComposerLockParser {
/** The JsonReader for parsing JSON */
private final JsonReader jsonReader;
/** The input stream we'll read */
private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later
/** The List of ComposerDependencies found */
private final List<ComposerDependency> composerDependencies;
/** The LOGGER */
private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class);
/**
* Createas a ComposerLockParser from a JsonReader and an InputStream.
*
* @param inputStream the InputStream to parse
*/
public ComposerLockParser(InputStream inputStream) {
LOGGER.info("Creating a ComposerLockParser");
this.inputStream = inputStream;
this.jsonReader = Json.createReader(inputStream);
this.composerDependencies = new ArrayList<ComposerDependency>();
}
/**
* Process the input stream to create the list of dependencies.
*/
public void process() {
LOGGER.info("Beginning Composer lock processing");
try {
final JsonObject composer = jsonReader.readObject();
if (composer.containsKey("packages")) {
LOGGER.debug("Found packages");
final JsonArray packages = composer.getJsonArray("packages");
for (JsonObject pkg : packages.getValuesAs(JsonObject.class)) {
if (pkg.containsKey("name")) {
final String groupName = pkg.getString("name");
if (groupName.indexOf('/') >= 0 && groupName.indexOf('/') <= groupName.length() - 1) {
if (pkg.containsKey("version")) {
final String group = groupName.substring(0, groupName.indexOf('/'));
final String project = groupName.substring(groupName.indexOf('/') + 1);
String version = pkg.getString("version");
// Some version nubmers begin with v - which doesn't end up matching CPE's
if (version.startsWith("v")) {
version = version.substring(1);
}
LOGGER.debug("Got package {}/{}/{}", group, project, version);
composerDependencies.add(new ComposerDependency(group, project, version));
} else {
LOGGER.debug("Group/package {} does not have a version", groupName);
}
} else {
LOGGER.debug("Got a dependency with no name");
}
}
}
}
} catch (JsonParsingException jsonpe) {
throw new ComposerException("Error parsing stream", jsonpe);
} catch (JsonException jsone) {
throw new ComposerException("Error reading stream", jsone);
} catch (IllegalStateException ise) {
throw new ComposerException("Illegal state in composer stream", ise);
} catch (ClassCastException cce) {
throw new ComposerException("Not exactly composer lock", cce);
}
}
/**
* Gets the list of dependencies.
*
* @return the list of dependencies
*/
public List<ComposerDependency> getDependencies() {
return composerDependencies;
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* Model elements for PHP Composer files
*/
package org.owasp.dependencycheck.data.composer;

1
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -19,3 +19,4 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
org.owasp.dependencycheck.analyzer.CMakeAnalyzer
org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer

1746
dependency-check-core/src/main/resources/composer.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

1
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -61,6 +61,7 @@ analyzer.archive.enabled=true
analyzer.jar.enabled=true
analyzer.nuspec.enabled=true
analyzer.assembly.enabled=true
analyzer.composer.lock.enabled=true
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true

101
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java Normal file
View File

@@ -0,0 +1,101 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.io.File;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
/**
* Unit tests for NodePackageAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
*/
public class ComposerLockAnalyzerTest extends BaseTest {
/**
* The analyzer to test.
*/
ComposerLockAnalyzer analyzer;
/**
* Correctly setup the analyzer for testing.
*
* @throws Exception thrown if there is a problem
*/
@Before
public void setUp() throws Exception {
analyzer = new ComposerLockAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
}
/**
* Cleanup the analyzer's temp files, etc.
*
* @throws Exception thrown if there is a problem
*/
@After
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
}
/**
* Test of getName method, of class ComposerLockAnalyzer.
*/
@Test
public void testGetName() {
assertEquals("Composer.lock analyzer", analyzer.getName());
}
/**
* Test of supportsExtension method, of class ComposerLockAnalyzer.
*/
@Test
public void testSupportsFiles() {
assertTrue(analyzer.accept(new File("composer.lock")));
}
/**
* Test of inspect method, of class PythonDistributionAnalyzer.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzePackageJson() throws Exception {
final Engine engine = new Engine();
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"composer.lock"));
analyzer.analyze(result, engine);
}
}

68
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java Normal file
View File

@@ -0,0 +1,68 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.composer;
import org.junit.Before;
import org.junit.Test;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.nio.charset.Charset;
import static org.junit.Assert.*;
/**
* Created by colezlaw on 9/5/15.
*/
public class ComposerLockParserTest {
private InputStream inputStream;
@Before
public void setUp() {
inputStream = this.getClass().getClassLoader().getResourceAsStream("composer.lock");
}
@Test
public void testValidComposerLock() {
ComposerLockParser clp = new ComposerLockParser(inputStream);
clp.process();
assertEquals(30, clp.getDependencies().size());
assertTrue(clp.getDependencies().contains(new ComposerDependency("symfony", "translation", "2.7.3")));
}
@Test(expected=ComposerException.class)
public void testNotJSON() throws Exception {
String input = "NOT VALID JSON";
ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
clp.process();
}
@Test(expected=ComposerException.class)
public void testNotComposer() throws Exception {
String input = "[\"ham\",\"eggs\"]";
ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
clp.process();
}
@Test(expected=ComposerException.class)
public void testNotPackagesArray() throws Exception {
String input = "{\"packages\":\"eleventy\"}";
ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
clp.process();
}
}

8
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -225,6 +225,14 @@ public final class Settings {
* The properties key for whether the node.js package analyzer is enabled.
*/
public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled";
/**
* The properties key for whether the composer json file analyzer is enabled.
*/
public static final String ANALYZER_COMPOSER_JSON_ENABLED = "analyzer.composer.json.enabled";
/**
* The properties key for whether the composer lock file analyzer is enabled.
*/
public static final String ANALYZER_COMPOSER_LOCK_ENABLED = "analyzer.composer.lock.enabled";
/**
* The properties key for the Nexus search URL.
*/

7
src/site/markdown/analyzers/composer-lock.md Normal file
View File

@@ -0,0 +1,7 @@
Composer Lock Analyzer
==============
OWASP dependency-check includes an analyzer that scans composer.lock files to get exact dependency
version information from PHP projects which are managed with [Composer](http://getcomposer.org/).
If you're using Composer to manage your project, this will only analyze the `composer.lock` file
currently, so you'll need to run `composer install` to have Composer generate this file.

1
src/site/markdown/analyzers/index.md
View File

@@ -10,6 +10,7 @@ to extract identification information from the files analyzed.
| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
| [Composer Lock](./composer-lock.html) | PHP [Composer](http://getcomposer.org) Lock files (composer.lock) | Parses PHP [Composer](http://getcomposer.org) lock files for exact versions of dependencies. |
| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . |
| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |