PoetryAnalyzer.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2019 Nima Yahyazadeh. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.analyzer;

  20. import com.github.packageurl.MalformedPackageURLException;
  21. import com.github.packageurl.PackageURL;
  22. import com.github.packageurl.PackageURLBuilder;
  23. import java.io.FileFilter;
  24. import java.util.List;

  26. import javax.annotation.concurrent.ThreadSafe;

  28. import org.owasp.dependencycheck.Engine;
  29. import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
  30. import org.owasp.dependencycheck.dependency.Confidence;
  31. import org.owasp.dependencycheck.dependency.Dependency;
  32. import org.owasp.dependencycheck.dependency.EvidenceType;
  33. import org.owasp.dependencycheck.exception.InitializationException;
  34. import org.owasp.dependencycheck.utils.FileFilterBuilder;
  35. import org.owasp.dependencycheck.utils.Settings;

  37. import com.moandjiezana.toml.Toml;
  38. import java.io.File;
  39. import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
  40. import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
  41. import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
  42. import org.owasp.dependencycheck.utils.Checksum;
  43. import org.slf4j.Logger;
  44. import org.slf4j.LoggerFactory;

  46. /**
  47.  * Poetry dependency analyzer.
  48.  *
  49.  * @author Ferdinand Niedermann
  50.  * @author Jeremy Long
  51.  */
  52. @ThreadSafe
  53. @Experimental
  54. public class PoetryAnalyzer extends AbstractFileTypeAnalyzer {

  56.     /**
  57.      * The logger.
  58.      */
  59.     private static final Logger LOGGER = LoggerFactory.getLogger(PoetryAnalyzer.class);

  61.     /**
  62.      * A descriptor for the type of dependencies processed or added by this
  63.      * analyzer.
  64.      */
  65.     public static final String DEPENDENCY_ECOSYSTEM = Ecosystem.PYTHON;

  67.     /**
  68.      * Lock file name.
  69.      */
  70.     private static final String POETRY_LOCK = "poetry.lock";
  71.     /**
  72.      * Poetry project file.
  73.      */
  74.     private static final String PYPROJECT_TOML = "pyproject.toml";
  75.     /**
  76.      * The file filter for poetry.lock
  77.      */
  78.     private static final FileFilter POETRY_LOCK_FILTER = FileFilterBuilder.newInstance()
  79.             .addFilenames(POETRY_LOCK, PYPROJECT_TOML)
  80.             .build();

  82.     /**
  83.      * Returns the name of the Poetry Analyzer.
  84.      *
  85.      * @return the name of the analyzer
  86.      */
  87.     @Override
  88.     public String getName() {
  89.         return "Poetry Analyzer";
  90.     }

  92.     /**
  93.      * Tell that we are used for information collection.
  94.      *
  95.      * @return INFORMATION_COLLECTION
  96.      */
  97.     @Override
  98.     public AnalysisPhase getAnalysisPhase() {
  99.         return AnalysisPhase.INFORMATION_COLLECTION;
  100.     }

  102.     /**
  103.      * Returns the key name for the analyzers enabled setting.
  104.      *
  105.      * @return the key name for the analyzers enabled setting
  106.      */
  107.     @Override
  108.     protected String getAnalyzerEnabledSettingKey() {
  109.         return Settings.KEYS.ANALYZER_POETRY_ENABLED;
  110.     }

  112.     /**
  113.      * Returns the FileFilter
  114.      *
  115.      * @return the FileFilter
  116.      */
  117.     @Override
  118.     protected FileFilter getFileFilter() {
  119.         return POETRY_LOCK_FILTER;
  120.     }

  122.     /**
  123.      * No-op initializer implementation.
  124.      *
  125.      * @param engine a reference to the dependency-check engine
  126.      *
  127.      * @throws InitializationException never thrown
  128.      */
  129.     @Override
  130.     protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
  131.         // Nothing to do here.
  132.     }

  134.     /**
  135.      * Analyzes poetry packages and adds evidence to the dependency.
  136.      *
  137.      * @param dependency the dependency being analyzed
  138.      * @param engine the engine being used to perform the scan
  139.      *
  140.      * @throws AnalysisException thrown if there is an unrecoverable error
  141.      * analyzing the dependency
  142.      */
  143.     @Override
  144.     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
  145.         LOGGER.debug("Checking file {}", dependency.getActualFilePath());

  147.         //do not report on the build file itself
  148.         engine.removeDependency(dependency);

  150.         final Toml result = new Toml().read(dependency.getActualFile());
  151.         if (PYPROJECT_TOML.equals(dependency.getActualFile().getName())) {
  152.             if (result.getTable("tool.poetry") == null) {
  153.                 LOGGER.debug("skipping {} as it does not contain `tool.poetry`", dependency.getDisplayFileName());
  154.                 return;
  155.             }

  157.             final File parentPath = dependency.getActualFile().getParentFile();
  158.             ensureLock(parentPath);
  159.             //exit as we can't analyze pyproject.toml - insufficient version information
  160.             return;
  161.         }

  163.         final List<Toml> projectsLocks = result.getTables("package");
  164.         if (projectsLocks == null) {
  165.             return;
  166.         }
  167.         projectsLocks.forEach((project) -> {
  168.             final String name = project.getString("name");
  169.             final String version = project.getString("version");

  171.             LOGGER.debug(String.format("package, version: %s %s", name, version));

  173.             final Dependency d = new Dependency(dependency.getActualFile(), true);
  174.             d.setName(name);
  175.             d.setVersion(version);

  177.             try {
  178.                 final PackageURL purl = PackageURLBuilder.aPackageURL()
  179.                         .withType("pypi")
  180.                         .withName(name)
  181.                         .withVersion(version)
  182.                         .build();
  183.                 d.addSoftwareIdentifier(new PurlIdentifier(purl, Confidence.HIGHEST));
  184.             } catch (MalformedPackageURLException ex) {
  185.                 LOGGER.debug("Unable to build package url for pypi", ex);
  186.                 d.addSoftwareIdentifier(new GenericIdentifier("pypi:" + name + "@" + version, Confidence.HIGH));
  187.             }

  189.             d.setPackagePath(String.format("%s:%s", name, version));
  190.             d.setEcosystem(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM);
  191.             final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), name, version);
  192.             d.setFilePath(filePath);
  193.             d.setSha1sum(Checksum.getSHA1Checksum(filePath));
  194.             d.setSha256sum(Checksum.getSHA256Checksum(filePath));
  195.             d.setMd5sum(Checksum.getMD5Checksum(filePath));
  196.             d.addEvidence(EvidenceType.PRODUCT, POETRY_LOCK, "product", name, Confidence.HIGHEST);
  197.             d.addEvidence(EvidenceType.VERSION, POETRY_LOCK, "version", version, Confidence.HIGHEST);
  198.             d.addEvidence(EvidenceType.VENDOR, POETRY_LOCK, "vendor", name, Confidence.HIGHEST);
  199.             engine.addDependency(d);
  200.         });
  201.     }

  203.     private void ensureLock(File parent) throws AnalysisException {
  204.         final File lock = new File(parent, POETRY_LOCK);
  205.         final File requirements = new File(parent, "requirements.txt");
  206.         final boolean found = lock.isFile() || requirements.isFile();
  207.         //do not throw an error if the pyproject.toml is in the node_modules (#5464).
  208.         if (!found && !parent.toString().contains("node_modules")) {
  209.             throw new AnalysisException("Python `pyproject.toml` found and there "
  210.                     + "is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete");
  211.         }
  212.     }
  213. }
Created with JaCoCo 0.8.12.202403310830