Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.AutoconfAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

AutoconfAnalyzer

90%

64/71

76%

26/34

3.222

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * Used to analyze Autoconf input files named configure.ac or configure.in.
  * Files simply named "configure" are also analyzed, assuming they are generated
  * by Autoconf, and contain certain special package descriptor variables.
  *
  * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project
  * - Free Software Foundation (FSF)</a>
  */
 @Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * Autoconf output filename.
      */
     private static final String CONFIGURE = "configure";
 
     /**
      * Autoconf input filename.
      */
     private static final String CONFIGURE_IN = "configure.in";
 
     /**
      * Autoconf input filename.
      */
     private static final String CONFIGURE_AC = "configure.ac";
 
     /**
      * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Autoconf Analyzer";
 
     /**
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
     /**
      * The set of file extensions supported by this analyzer.
      */
     private static final String[] EXTENSIONS = {"ac", "in"};
 
     /**
      * Matches AC_INIT variables in the output configure script.
      */
     private static final Pattern PACKAGE_VAR = Pattern.compile(
             "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE);
 
     /**
      * Matches AC_INIT statement in configure.ac file.
      */
     private static final Pattern AC_INIT_PATTERN;
 
     static {
         // each instance of param or sep_param has a capture group
         final String param = "\\[{0,2}(.+?)\\]{0,2}";
         final String sepParam = "\\s*,\\s*" + param;
         // Group 1: Package
         // Group 2: Version
         // Group 3: optional
         // Group 4: Bug report address (if it exists)
         // Group 5: optional
         // Group 6: Tarname (if it exists)
         // Group 7: optional
         // Group 8: URL (if it exists)
         AC_INIT_PATTERN = Pattern.compile(String.format(
                 "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sepParam,
                 sepParam, sepParam, sepParam), Pattern.DOTALL
                 | Pattern.CASE_INSENSITIVE);
     }
 
     /**
      * The file filter used to determine which files this analyzer supports.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions(
             EXTENSIONS).build();
 
     /**
      * Returns the FileFilter
      *
      * @return the FileFilter
      */
     @Override
     protected FileFilter getFileFilter() {
         return FILTER;
     }
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
     @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
 
     /**
      * Returns the key used in the properties file to reference the analyzer's
      * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
     }
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File actualFile = dependency.getActualFile();
         final String name = actualFile.getName();
         if (name.startsWith(CONFIGURE)) {
             final File parent = actualFile.getParentFile();
             final String parentName = parent.getName();
             dependency.setDisplayFileName(parentName + "/" + name);
             final boolean isOutputScript = CONFIGURE.equals(name);
             if (isOutputScript || CONFIGURE_AC.equals(name)
                     || CONFIGURE_IN.equals(name)) {
                 final String contents = getFileContents(actualFile);
                 if (!contents.isEmpty()) {
                     if (isOutputScript) {
                         extractConfigureScriptEvidence(dependency, name,
                                 contents);
                     } else {
                         gatherEvidence(dependency, name, contents);
                     }
                 }
             }
         } else {
             // copy, alter and set in case some other thread is iterating over
             final List<Dependency> dependencies = new ArrayList<Dependency>(
                     engine.getDependencies());
             dependencies.remove(dependency);
             engine.setDependencies(dependencies);
         }
     }
 
     /**
      * Extracts evidence from the configuration.
      *
      * @param dependency the dependency being analyzed
      * @param name the name of the source of evidence
      * @param contents the contents to analyze for evidence
      */
     private void extractConfigureScriptEvidence(Dependency dependency,
             final String name, final String contents) {
         final Matcher matcher = PACKAGE_VAR.matcher(contents);
         while (matcher.find()) {
             final String variable = matcher.group(1);
             final String value = matcher.group(2);
             if (!value.isEmpty()) {
                 if (variable.endsWith("NAME")) {
                     dependency.getProductEvidence().addEvidence(name, variable,
                             value, Confidence.HIGHEST);
                 } else if ("VERSION".equals(variable)) {
                     dependency.getVersionEvidence().addEvidence(name, variable,
                             value, Confidence.HIGHEST);
                 } else if ("BUGREPORT".equals(variable)) {
                     dependency.getVendorEvidence().addEvidence(name, variable,
                             value, Confidence.HIGH);
                 } else if ("URL".equals(variable)) {
                     dependency.getVendorEvidence().addEvidence(name, variable,
                             value, Confidence.HIGH);
                 }
             }
         }
     }
 
     /**
      * Retrieves the contents of a given file.
      *
      * @param actualFile the file to read
      * @return the contents of the file
      * @throws AnalysisException thrown if there is an IO Exception
      */
     private String getFileContents(final File actualFile)
             throws AnalysisException {
         try {
             return FileUtils.readFileToString(actualFile, Charset.defaultCharset()).trim();
         } catch (IOException e) {
             throw new AnalysisException(
                     "Problem occurred while reading dependency file.", e);
         }
     }
 
     /**
      * Gathers evidence from a given file
      *
      * @param dependency the dependency to add evidence to
      * @param name the source of the evidence
      * @param contents the evidence to analyze
      */
     private void gatherEvidence(Dependency dependency, final String name,
             String contents) {
         final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
         if (matcher.find()) {
             final EvidenceCollection productEvidence = dependency
                     .getProductEvidence();
             productEvidence.addEvidence(name, "Package", matcher.group(1),
                     Confidence.HIGHEST);
             dependency.getVersionEvidence().addEvidence(name,
                     "Package Version", matcher.group(2), Confidence.HIGHEST);
             final EvidenceCollection vendorEvidence = dependency
                     .getVendorEvidence();
             if (null != matcher.group(3)) {
                 vendorEvidence.addEvidence(name, "Bug report address",
                         matcher.group(4), Confidence.HIGH);
             }
             if (null != matcher.group(5)) {
                 productEvidence.addEvidence(name, "Tarname", matcher.group(6),
                         Confidence.HIGH);
             }
             if (null != matcher.group(7)) {
                 final String url = matcher.group(8);
                 if (UrlStringUtils.isUrl(url)) {
                     vendorEvidence.addEvidence(name, "URL", url,
                             Confidence.HIGH);
                 }
             }
         }
     }
 
     /**
      * Initializes the file type analyzer.
      *
      * @throws InitializationException thrown if there is an exception during
      * initialization
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws InitializationException {
         // No initialization needed.
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.apache.commons.io.FileUtils;
21		import org.owasp.dependencycheck.Engine;
22		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
23		import org.owasp.dependencycheck.dependency.Confidence;
24		import org.owasp.dependencycheck.dependency.Dependency;
25		import org.owasp.dependencycheck.dependency.EvidenceCollection;
26		import org.owasp.dependencycheck.utils.FileFilterBuilder;
27		import org.owasp.dependencycheck.utils.Settings;
28		import org.owasp.dependencycheck.utils.UrlStringUtils;
29
30		import java.io.File;
31		import java.io.FileFilter;
32		import java.io.IOException;
33		import java.nio.charset.Charset;
34		import java.util.ArrayList;
35		import java.util.List;
36		import java.util.regex.Matcher;
37		import java.util.regex.Pattern;
38		import org.owasp.dependencycheck.exception.InitializationException;
39
40		/**
41		* Used to analyze Autoconf input files named configure.ac or configure.in.
42		* Files simply named "configure" are also analyzed, assuming they are generated
43		* by Autoconf, and contain certain special package descriptor variables.
44		*
45		* @author Dale Visser
46		* @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project
47		* - Free Software Foundation (FSF)</a>
48		*/
49		@Experimental
50	12	public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
51
52		/**
53		* Autoconf output filename.
54		*/
55		private static final String CONFIGURE = "configure";
56
57		/**
58		* Autoconf input filename.
59		*/
60		private static final String CONFIGURE_IN = "configure.in";
61
62		/**
63		* Autoconf input filename.
64		*/
65		private static final String CONFIGURE_AC = "configure.ac";
66
67		/**
68		* The name of the analyzer.
69		*/
70		private static final String ANALYZER_NAME = "Autoconf Analyzer";
71
72		/**
73		* The phase that this analyzer is intended to run in.
74		*/
75	1	private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
76
77		/**
78		* The set of file extensions supported by this analyzer.
79		*/
80	1	private static final String[] EXTENSIONS = {"ac", "in"};
81
82		/**
83		* Matches AC_INIT variables in the output configure script.
84		*/
85	1	private static final Pattern PACKAGE_VAR = Pattern.compile(
86		"PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL \| Pattern.CASE_INSENSITIVE);
87
88		/**
89		* Matches AC_INIT statement in configure.ac file.
90		*/
91		private static final Pattern AC_INIT_PATTERN;
92
93		static {
94		// each instance of param or sep_param has a capture group
95	1	final String param = "\\[{0,2}(.+?)\\]{0,2}";
96	1	final String sepParam = "\\s,\\s" + param;
97		// Group 1: Package
98		// Group 2: Version
99		// Group 3: optional
100		// Group 4: Bug report address (if it exists)
101		// Group 5: optional
102		// Group 6: Tarname (if it exists)
103		// Group 7: optional
104		// Group 8: URL (if it exists)
105	1	AC_INIT_PATTERN = Pattern.compile(String.format(
106		"AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sepParam,
107		sepParam, sepParam, sepParam), Pattern.DOTALL
108		\| Pattern.CASE_INSENSITIVE);
109		}
110
111		/**
112		* The file filter used to determine which files this analyzer supports.
113		*/
114	2	private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions(
115	1	EXTENSIONS).build();
116
117		/**
118		* Returns the FileFilter
119		*
120		* @return the FileFilter
121		*/
122		@Override
123		protected FileFilter getFileFilter() {
124	13	return FILTER;
125		}
126
127		/**
128		* Returns the name of the analyzer.
129		*
130		* @return the name of the analyzer.
131		*/
132		@Override
133		public String getName() {
134	15	return ANALYZER_NAME;
135		}
136
137		/**
138		* Returns the phase that the analyzer is intended to run in.
139		*
140		* @return the phase that the analyzer is intended to run in.
141		*/
142		@Override
143		public AnalysisPhase getAnalysisPhase() {
144	4	return ANALYSIS_PHASE;
145		}
146
147		/**
148		* Returns the key used in the properties file to reference the analyzer's
149		* enabled property.
150		*
151		* @return the analyzer's enabled property setting key
152		*/
153		@Override
154		protected String getAnalyzerEnabledSettingKey() {
155	12	return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
156		}
157
158		@Override
159		protected void analyzeFileType(Dependency dependency, Engine engine)
160		throws AnalysisException {
161	4	final File actualFile = dependency.getActualFile();
162	4	final String name = actualFile.getName();
163	4	if (name.startsWith(CONFIGURE)) {
164	4	final File parent = actualFile.getParentFile();
165	4	final String parentName = parent.getName();
166	4	dependency.setDisplayFileName(parentName + "/" + name);
167	4	final boolean isOutputScript = CONFIGURE.equals(name);
168	4	if (isOutputScript \|\| CONFIGURE_AC.equals(name)
169	0	\|\| CONFIGURE_IN.equals(name)) {
170	4	final String contents = getFileContents(actualFile);
171	4	if (!contents.isEmpty()) {
172	4	if (isOutputScript) {
173	2	extractConfigureScriptEvidence(dependency, name,
174		contents);
175		} else {
176	2	gatherEvidence(dependency, name, contents);
177		}
178		}
179		}
180	4	} else {
181		// copy, alter and set in case some other thread is iterating over
182	0	final List<Dependency> dependencies = new ArrayList<Dependency>(
183	0	engine.getDependencies());
184	0	dependencies.remove(dependency);
185	0	engine.setDependencies(dependencies);
186		}
187	4	}
188
189		/**
190		* Extracts evidence from the configuration.
191		*
192		* @param dependency the dependency being analyzed
193		* @param name the name of the source of evidence
194		* @param contents the contents to analyze for evidence
195		*/
196		private void extractConfigureScriptEvidence(Dependency dependency,
197		final String name, final String contents) {
198	2	final Matcher matcher = PACKAGE_VAR.matcher(contents);
199	20	while (matcher.find()) {
200	18	final String variable = matcher.group(1);
201	18	final String value = matcher.group(2);
202	18	if (!value.isEmpty()) {
203	14	if (variable.endsWith("NAME")) {
204	4	dependency.getProductEvidence().addEvidence(name, variable,
205		value, Confidence.HIGHEST);
206	10	} else if ("VERSION".equals(variable)) {
207	2	dependency.getVersionEvidence().addEvidence(name, variable,
208		value, Confidence.HIGHEST);
209	8	} else if ("BUGREPORT".equals(variable)) {
210	1	dependency.getVendorEvidence().addEvidence(name, variable,
211		value, Confidence.HIGH);
212	7	} else if ("URL".equals(variable)) {
213	1	dependency.getVendorEvidence().addEvidence(name, variable,
214		value, Confidence.HIGH);
215		}
216		}
217	18	}
218	2	}
219
220		/**
221		* Retrieves the contents of a given file.
222		*
223		* @param actualFile the file to read
224		* @return the contents of the file
225		* @throws AnalysisException thrown if there is an IO Exception
226		*/
227		private String getFileContents(final File actualFile)
228		throws AnalysisException {
229		try {
230	4	return FileUtils.readFileToString(actualFile, Charset.defaultCharset()).trim();
231	0	} catch (IOException e) {
232	0	throw new AnalysisException(
233		"Problem occurred while reading dependency file.", e);
234		}
235		}
236
237		/**
238		* Gathers evidence from a given file
239		*
240		* @param dependency the dependency to add evidence to
241		* @param name the source of the evidence
242		* @param contents the evidence to analyze
243		*/
244		private void gatherEvidence(Dependency dependency, final String name,
245		String contents) {
246	2	final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
247	2	if (matcher.find()) {
248	2	final EvidenceCollection productEvidence = dependency
249	2	.getProductEvidence();
250	2	productEvidence.addEvidence(name, "Package", matcher.group(1),
251		Confidence.HIGHEST);
252	4	dependency.getVersionEvidence().addEvidence(name,
253	2	"Package Version", matcher.group(2), Confidence.HIGHEST);
254	2	final EvidenceCollection vendorEvidence = dependency
255	2	.getVendorEvidence();
256	2	if (null != matcher.group(3)) {
257	4	vendorEvidence.addEvidence(name, "Bug report address",
258	2	matcher.group(4), Confidence.HIGH);
259		}
260	2	if (null != matcher.group(5)) {
261	1	productEvidence.addEvidence(name, "Tarname", matcher.group(6),
262		Confidence.HIGH);
263		}
264	2	if (null != matcher.group(7)) {
265	1	final String url = matcher.group(8);
266	1	if (UrlStringUtils.isUrl(url)) {
267	1	vendorEvidence.addEvidence(name, "URL", url,
268		Confidence.HIGH);
269		}
270		}
271		}
272	2	}
273
274		/**
275		* Initializes the file type analyzer.
276		*
277		* @throws InitializationException thrown if there is an exception during
278		* initialization
279		*/
280		@Override
281		protected void initializeFileTypeAnalyzer() throws InitializationException {
282		// No initialization needed.
283	6	}
284		}