From 13d7d296301c2dee27aa4317a6aa6ca40577f4c6 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Thu, 19 Feb 2015 21:08:45 -0500 Subject: [PATCH 1/2] Modified NexusAnalyzer to download POM if required NexusAnalyzer previously would just get GAV for a match, but the POM may be separate from the jar and contain other valuable information. This includes refactoring of the analyzePom into PomUtils. Former-commit-id: f7311e08324d8bc6a5860f4be2b0e409fdcf9ba3 --- .../analyzer/CentralAnalyzer.java | 87 +----------------- .../analyzer/NexusAnalyzer.java | 42 +++++++++ .../data/nexus/MavenArtifact.java | 2 + .../data/nexus/NexusSearch.java | 13 ++- .../dependencycheck/jaxb/pom/PomUtils.java | 89 +++++++++++++++++++ 5 files changed, 146 insertions(+), 87 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index cbe976018..244358fa1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -34,8 +34,6 @@ import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.jaxb.pom.PomUtils; -import org.owasp.dependencycheck.jaxb.pom.generated.Model; -import org.owasp.dependencycheck.jaxb.pom.generated.Organization; import org.owasp.dependencycheck.utils.DownloadFailedException; import org.owasp.dependencycheck.utils.Downloader; import org.owasp.dependencycheck.utils.InvalidSettingException; @@ -218,7 +216,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } LOGGER.fine(String.format("Downloading %s", ma.getPomUrl())); Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile); - analyzePOM(dependency, pomFile); + pomUtil.analyzePOM(dependency, pomFile); } catch (DownloadFailedException ex) { final String msg = String.format("Unable to download pom.xml for %s from Central; " @@ -242,87 +240,4 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } } - /** - * Reads in the pom file and adds elements as evidence to the given dependency. - * - * @param dependency the dependency being analyzed - * @param pomFile the pom file to read - * @throws AnalysisException is thrown if there is an exception parsing the pom - */ - protected void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException { - final Model pom = pomUtil.readPom(pomFile); - - String groupid = pom.getGroupId(); - String parentGroupId = null; - - if (pom.getParent() != null) { - parentGroupId = pom.getParent().getGroupId(); - if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) { - groupid = parentGroupId; - } - } - if (groupid != null && !groupid.isEmpty()) { - dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST); - dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW); - if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) { - dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM); - dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW); - } - } - String artifactid = pom.getArtifactId(); - String parentArtifactId = null; - if (pom.getParent() != null) { - parentArtifactId = pom.getParent().getArtifactId(); - if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) { - artifactid = parentArtifactId; - } - } - if (artifactid != null && !artifactid.isEmpty()) { - if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) { - artifactid = artifactid.substring(4); - } - dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST); - dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW); - if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) { - dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM); - dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW); - } - } - //version - String version = pom.getVersion(); - String parentVersion = null; - if (pom.getParent() != null) { - parentVersion = pom.getParent().getVersion(); - if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) { - version = parentVersion; - } - } - if (version != null && !version.isEmpty()) { - dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST); - if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) { - dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW); - } - } - - final Organization org = pom.getOrganization(); - if (org != null) { - final String orgName = org.getName(); - if (orgName != null && !orgName.isEmpty()) { - dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH); - } - } - final String pomName = pom.getName(); - if (pomName != null && !pomName.isEmpty()) { - dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); - dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); - } - - if (pom.getDescription() != null) { - final String description = pom.getDescription(); - if (description != null && !description.isEmpty()) { - JarAnalyzer.addDescription(dependency, description, "pom", "description"); - } - } - JarAnalyzer.extractLicense(pom, null, dependency); - } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index d1bc64b08..33fd39856 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.net.MalformedURLException; @@ -24,13 +25,18 @@ import java.net.URL; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nexus.NexusSearch; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; +import org.owasp.dependencycheck.jaxb.pom.PomUtils; import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.DownloadFailedException; +import org.owasp.dependencycheck.utils.Downloader; import org.owasp.dependencycheck.utils.Settings; /** @@ -83,6 +89,10 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { * Field indicating if the analyzer is enabled. */ private final boolean enabled = checkEnabled(); + /** + * Field for doing POM work + */ + private final PomUtils pomUtil = new PomUtils(); /** * Determines if this analyzer is enabled @@ -202,6 +212,38 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { try { final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum()); dependency.addAsEvidence("nexus", ma, Confidence.HIGH); + boolean pomAnalyzed = false; + LOGGER.fine("POM URL " + ma.getPomUrl()); + for (Evidence e : dependency.getVendorEvidence()) { + if ("pom".equals(e.getSource())) { + pomAnalyzed = true; + break; + } + } + if (!pomAnalyzed && ma.getPomUrl() != null) { + File pomFile = null; + try { + final File baseDir = Settings.getTempDirectory(); + pomFile = File.createTempFile("pom", ".xml", baseDir); + if (!pomFile.delete()) { + final String msg = String.format("Unable to fetch pom.xml for %s from Central; " + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + LOGGER.warning(msg); + LOGGER.fine("Unable to delete temp file"); + } + LOGGER.fine(String.format("Downloading %s", ma.getPomUrl())); + Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile); + pomUtil.analyzePOM(dependency, pomFile); + } catch (DownloadFailedException ex) { + final String msg = String.format("Unable to download pom.xml for %s from Central; " + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + LOGGER.warning(msg); + } finally { + if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) { + pomFile.deleteOnExit(); + } + } + } } catch (IllegalArgumentException iae) { //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1")); LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName())); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java index ad020c1f3..cf094f8bf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java @@ -17,6 +17,8 @@ */ package org.owasp.dependencycheck.data.nexus; +import java.io.File; + /** * Simple bean representing a Maven Artifact. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index ec406a916..a85faca5e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -131,7 +131,18 @@ public class NexusSearch { .evaluate( "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", doc); - return new MavenArtifact(groupId, artifactId, version, link); + final String pomLink = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink", + doc); + MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); + if (link != null && !"".equals(link)) { + ma.setArtifactUrl(link); + } + if (pomLink != null & !"".equals(pomLink)) { + ma.setPomUrl(pomLink); + } + return ma; } catch (Throwable e) { // Anything else is jacked-up XML stuff that we really can't recover // from well diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java index ac8d4d6e9..ff4e9d732 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java @@ -31,8 +31,13 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.sax.SAXSource; + +import org.owasp.dependencycheck.analyzer.JarAnalyzer; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.jaxb.pom.generated.Model; +import org.owasp.dependencycheck.jaxb.pom.generated.Organization; import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.XMLFilter; @@ -134,4 +139,88 @@ public class PomUtils { } return model; } + + /** + * Reads in the pom file and adds elements as evidence to the given dependency. + * + * @param dependency the dependency being analyzed + * @param pomFile the pom file to read + * @throws AnalysisException is thrown if there is an exception parsing the pom + */ + public void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException { + final Model pom = this.readPom(pomFile); + + String groupid = pom.getGroupId(); + String parentGroupId = null; + + if (pom.getParent() != null) { + parentGroupId = pom.getParent().getGroupId(); + if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) { + groupid = parentGroupId; + } + } + if (groupid != null && !groupid.isEmpty()) { + dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST); + dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW); + if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) { + dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM); + dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW); + } + } + String artifactid = pom.getArtifactId(); + String parentArtifactId = null; + if (pom.getParent() != null) { + parentArtifactId = pom.getParent().getArtifactId(); + if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) { + artifactid = parentArtifactId; + } + } + if (artifactid != null && !artifactid.isEmpty()) { + if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) { + artifactid = artifactid.substring(4); + } + dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST); + dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW); + if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) { + dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM); + dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW); + } + } + //version + String version = pom.getVersion(); + String parentVersion = null; + if (pom.getParent() != null) { + parentVersion = pom.getParent().getVersion(); + if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) { + version = parentVersion; + } + } + if (version != null && !version.isEmpty()) { + dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST); + if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) { + dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW); + } + } + + final Organization org = pom.getOrganization(); + if (org != null) { + final String orgName = org.getName(); + if (orgName != null && !orgName.isEmpty()) { + dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH); + } + } + final String pomName = pom.getName(); + if (pomName != null && !pomName.isEmpty()) { + dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); + dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH); + } + + if (pom.getDescription() != null) { + final String description = pom.getDescription(); + if (description != null && !description.isEmpty()) { + JarAnalyzer.addDescription(dependency, description, "pom", "description"); + } + } + JarAnalyzer.extractLicense(pom, null, dependency); + } } From 1eab76aab83e07cc7edd98b4048b9f790f411775 Mon Sep 17 00:00:00 2001 From: Will Stranathan Date: Sun, 22 Feb 2015 14:56:25 -0500 Subject: [PATCH 2/2] Updated error messages to reflect Nexus Former-commit-id: 60bd62aebbf52844150a58fe4afea45be867f249 --- .../org/owasp/dependencycheck/analyzer/NexusAnalyzer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 33fd39856..7d5650db6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -226,7 +226,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { final File baseDir = Settings.getTempDirectory(); pomFile = File.createTempFile("pom", ".xml", baseDir); if (!pomFile.delete()) { - final String msg = String.format("Unable to fetch pom.xml for %s from Central; " + final String msg = String.format("Unable to fetch pom.xml for %s from Nexus repository; " + "this could result in undetected CPE/CVEs.", dependency.getFileName()); LOGGER.warning(msg); LOGGER.fine("Unable to delete temp file"); @@ -235,7 +235,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile); pomUtil.analyzePOM(dependency, pomFile); } catch (DownloadFailedException ex) { - final String msg = String.format("Unable to download pom.xml for %s from Central; " + final String msg = String.format("Unable to download pom.xml for %s from Nexus repository; " + "this could result in undetected CPE/CVEs.", dependency.getFileName()); LOGGER.warning(msg); } finally {