Coverage Report

Coverage Report - org.owasp.dependencycheck.analyzer.CMakeAnalyzer

Classes in this File

Line Coverage

Branch Coverage

Complexity

CMakeAnalyzer

91%

65/71

80%

8/10

2.143

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * <p>
  * Used to analyze CMake build files, and collect information that can be used
  * to determine the associated CPE.</p>
  * <p>
  * Note: This analyzer catches straightforward invocations of the project
  * command, plus some other observed patterns of version inclusion in real CMake
  * projects. Many projects make use of older versions of CMake and/or use custom
  * "homebrew" ways to insert version information. Hopefully as the newer CMake
  * call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
  * @author Dale Visser
  */
 @Experimental
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(CMakeAnalyzer.class);
 
     /**
      * Used when compiling file scanning regex patterns.
      */
     private static final int REGEX_OPTIONS = Pattern.DOTALL
             | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
 
     /**
      * Regex to extract the product information.
      */
     private static final Pattern PROJECT = Pattern.compile(
             "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS);
 
     /**
      * Regex to extract product and version information.
      *
      * Group 1: Product
      *
      * Group 2: Version
      */
     private static final Pattern SET_VERSION = Pattern
             .compile(
                     "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
                     REGEX_OPTIONS);
 
     /**
      * Detects files that can be analyzed.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
             .addFilenames("CMakeLists.txt").build();
 
     /**
      * A reference to SHA1 message digest.
      */
     private static MessageDigest sha1 = null;
 
     static {
         try {
             sha1 = MessageDigest.getInstance("SHA1");
         } catch (NoSuchAlgorithmException e) {
             LOGGER.error(e.getMessage());
         }
     }
 
     /**
      * Returns the name of the CMake analyzer.
      *
      * @return the name of the analyzer
      *
      */
     @Override
     public String getName() {
         return "CMake Analyzer";
     }
 
     /**
      * Tell that we are used for information collection.
      *
      * @return INFORMATION_COLLECTION
      */
     @Override
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.INFORMATION_COLLECTION;
     }
 
     /**
      * Returns the set of supported file extensions.
      *
      * @return the set of supported file extensions
      */
     @Override
     protected FileFilter getFileFilter() {
         return FILTER;
     }
 
     /**
      * No-op initializer implementation.
      *
      * @throws InitializationException never thrown
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws InitializationException {
         // Nothing to do here.
     }
 
     /**
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
      * @param engine the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error
      * analyzing the dependency
      */
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File file = dependency.getActualFile();
         final String parentName = file.getParentFile().getName();
         final String name = file.getName();
         dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name));
         String contents;
         try {
             contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim();
         } catch (IOException e) {
             throw new AnalysisException(
                     "Problem occurred while reading dependency file.", e);
         }
 
         if (StringUtils.isNotBlank(contents)) {
             final Matcher m = PROJECT.matcher(contents);
             int count = 0;
             while (m.find()) {
                 count++;
                 LOGGER.debug(String.format(
                         "Found project command match with %d groups: %s",
                         m.groupCount(), m.group(0)));
                 final String group = m.group(1);
                 LOGGER.debug("Group 1: " + group);
                 dependency.getProductEvidence().addEvidence(name, "Project",
                         group, Confidence.HIGH);
             }
             LOGGER.debug("Found {} matches.", count);
             analyzeSetVersionCommand(dependency, engine, contents);
         }
     }
 
     /**
      * Extracts the version information from the contents. If more then one
      * version is found additional dependencies are added to the dependency
      * list.
      *
      * @param dependency the dependency being analyzed
      * @param engine the dependency-check engine
      * @param contents the version information
      */
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
         Dependency currentDep = dependency;
 
         final Matcher m = SET_VERSION.matcher(contents);
         int count = 0;
         while (m.find()) {
             count++;
             LOGGER.debug("Found project command match with {} groups: {}",
                     m.groupCount(), m.group(0));
             String product = m.group(1);
             final String version = m.group(2);
             LOGGER.debug("Group 1: " + product);
             LOGGER.debug("Group 2: " + version);
             final String aliasPrefix = "ALIASOF_";
             if (product.startsWith(aliasPrefix)) {
                 product = product.replaceFirst(aliasPrefix, "");
             }
             if (count > 1) {
                 //TODO - refactor so we do not assign to the parameter (checkstyle)
                 currentDep = new Dependency(dependency.getActualFile());
                 currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
                 byte[] path;
                 try {
                     path = filePath.getBytes("UTF-8");
                 } catch (UnsupportedEncodingException ex) {
                     path = filePath.getBytes();
                 }
                 currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                 engine.getDependencies().add(currentDep);
             }
             final String source = currentDep.getDisplayFileName();
             currentDep.getProductEvidence().addEvidence(source, "Product",
                     product, Confidence.MEDIUM);
             currentDep.getVersionEvidence().addEvidence(source, "Version",
                     version, Confidence.MEDIUM);
         }
         LOGGER.debug(String.format("Found %d matches.", count));
     }
 
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CMAKE_ENABLED;
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.analyzer;
19
20		import org.apache.commons.io.FileUtils;
21		import org.apache.commons.lang3.StringUtils;
22		import org.owasp.dependencycheck.Engine;
23		import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
24		import org.owasp.dependencycheck.dependency.Confidence;
25		import org.owasp.dependencycheck.dependency.Dependency;
26		import org.owasp.dependencycheck.utils.Checksum;
27		import org.owasp.dependencycheck.utils.FileFilterBuilder;
28		import org.owasp.dependencycheck.utils.Settings;
29		import org.slf4j.Logger;
30		import org.slf4j.LoggerFactory;
31
32		import java.io.File;
33		import java.io.FileFilter;
34		import java.io.IOException;
35		import java.io.UnsupportedEncodingException;
36		import java.nio.charset.Charset;
37		import java.security.MessageDigest;
38		import java.security.NoSuchAlgorithmException;
39		import java.util.regex.Matcher;
40		import java.util.regex.Pattern;
41		import org.owasp.dependencycheck.exception.InitializationException;
42
43		/**
44		* <p>
45		* Used to analyze CMake build files, and collect information that can be used
46		* to determine the associated CPE.</p>
47		* <p>
48		* Note: This analyzer catches straightforward invocations of the project
49		* command, plus some other observed patterns of version inclusion in real CMake
50		* projects. Many projects make use of older versions of CMake and/or use custom
51		* "homebrew" ways to insert version information. Hopefully as the newer CMake
52		* call pattern grows in usage, this analyzer allow more CPEs to be
53		* identified.</p>
54		*
55		* @author Dale Visser
56		*/
57		@Experimental
58	11	public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
59
60		/**
61		* The logger.
62		*/
63	1	private static final Logger LOGGER = LoggerFactory.getLogger(CMakeAnalyzer.class);
64
65		/**
66		* Used when compiling file scanning regex patterns.
67		*/
68		private static final int REGEX_OPTIONS = Pattern.DOTALL
69		\| Pattern.CASE_INSENSITIVE \| Pattern.MULTILINE;
70
71		/**
72		* Regex to extract the product information.
73		*/
74	1	private static final Pattern PROJECT = Pattern.compile(
75		"^ project \\([ \\n](\\w+)[ \\n].*?\\)", REGEX_OPTIONS);
76
77		/**
78		* Regex to extract product and version information.
79		*
80		* Group 1: Product
81		*
82		* Group 2: Version
83		*/
84	1	private static final Pattern SET_VERSION = Pattern
85	1	.compile(
86		"^ set\\s\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
87		REGEX_OPTIONS);
88
89		/**
90		* Detects files that can be analyzed.
91		*/
92	1	private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
93	1	.addFilenames("CMakeLists.txt").build();
94
95		/**
96		* A reference to SHA1 message digest.
97		*/
98	1	private static MessageDigest sha1 = null;
99
100		static {
101		try {
102	1	sha1 = MessageDigest.getInstance("SHA1");
103	0	} catch (NoSuchAlgorithmException e) {
104	0	LOGGER.error(e.getMessage());
105	1	}
106	1	}
107
108		/**
109		* Returns the name of the CMake analyzer.
110		*
111		* @return the name of the analyzer
112		*
113		*/
114		@Override
115		public String getName() {
116	15	return "CMake Analyzer";
117		}
118
119		/**
120		* Tell that we are used for information collection.
121		*
122		* @return INFORMATION_COLLECTION
123		*/
124		@Override
125		public AnalysisPhase getAnalysisPhase() {
126	4	return AnalysisPhase.INFORMATION_COLLECTION;
127		}
128
129		/**
130		* Returns the set of supported file extensions.
131		*
132		* @return the set of supported file extensions
133		*/
134		@Override
135		protected FileFilter getFileFilter() {
136	12	return FILTER;
137		}
138
139		/**
140		* No-op initializer implementation.
141		*
142		* @throws InitializationException never thrown
143		*/
144		@Override
145		protected void initializeFileTypeAnalyzer() throws InitializationException {
146		// Nothing to do here.
147	5	}
148
149		/**
150		* Analyzes python packages and adds evidence to the dependency.
151		*
152		* @param dependency the dependency being analyzed
153		* @param engine the engine being used to perform the scan
154		* @throws AnalysisException thrown if there is an unrecoverable error
155		* analyzing the dependency
156		*/
157		@Override
158		protected void analyzeFileType(Dependency dependency, Engine engine)
159		throws AnalysisException {
160	3	final File file = dependency.getActualFile();
161	3	final String parentName = file.getParentFile().getName();
162	3	final String name = file.getName();
163	3	dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name));
164		String contents;
165		try {
166	3	contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim();
167	0	} catch (IOException e) {
168	0	throw new AnalysisException(
169		"Problem occurred while reading dependency file.", e);
170	3	}
171
172	3	if (StringUtils.isNotBlank(contents)) {
173	3	final Matcher m = PROJECT.matcher(contents);
174	3	int count = 0;
175	5	while (m.find()) {
176	2	count++;
177	4	LOGGER.debug(String.format(
178		"Found project command match with %d groups: %s",
179	2	m.groupCount(), m.group(0)));
180	2	final String group = m.group(1);
181	2	LOGGER.debug("Group 1: " + group);
182	2	dependency.getProductEvidence().addEvidence(name, "Project",
183		group, Confidence.HIGH);
184	2	}
185	3	LOGGER.debug("Found {} matches.", count);
186	3	analyzeSetVersionCommand(dependency, engine, contents);
187		}
188	3	}
189
190		/**
191		* Extracts the version information from the contents. If more then one
192		* version is found additional dependencies are added to the dependency
193		* list.
194		*
195		* @param dependency the dependency being analyzed
196		* @param engine the dependency-check engine
197		* @param contents the version information
198		*/
199		private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
200	3	Dependency currentDep = dependency;
201
202	3	final Matcher m = SET_VERSION.matcher(contents);
203	3	int count = 0;
204	8	while (m.find()) {
205	5	count++;
206	10	LOGGER.debug("Found project command match with {} groups: {}",
207	5	m.groupCount(), m.group(0));
208	5	String product = m.group(1);
209	5	final String version = m.group(2);
210	5	LOGGER.debug("Group 1: " + product);
211	5	LOGGER.debug("Group 2: " + version);
212	5	final String aliasPrefix = "ALIASOF_";
213	5	if (product.startsWith(aliasPrefix)) {
214	5	product = product.replaceFirst(aliasPrefix, "");
215		}
216	5	if (count > 1) {
217		//TODO - refactor so we do not assign to the parameter (checkstyle)
218	4	currentDep = new Dependency(dependency.getActualFile());
219	4	currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
220	4	final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
221	4	currentDep.setFilePath(filePath);
222
223		byte[] path;
224		try {
225	4	path = filePath.getBytes("UTF-8");
226	0	} catch (UnsupportedEncodingException ex) {
227	0	path = filePath.getBytes();
228	4	}
229	4	currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
230	4	engine.getDependencies().add(currentDep);
231		}
232	5	final String source = currentDep.getDisplayFileName();
233	5	currentDep.getProductEvidence().addEvidence(source, "Product",
234		product, Confidence.MEDIUM);
235	5	currentDep.getVersionEvidence().addEvidence(source, "Version",
236		version, Confidence.MEDIUM);
237	5	}
238	3	LOGGER.debug(String.format("Found %d matches.", count));
239	3	}
240
241		@Override
242		protected String getAnalyzerEnabledSettingKey() {
243	11	return Settings.KEYS.ANALYZER_CMAKE_ENABLED;
244		}
245		}