RubyBundleAuditAnalyzer.java

  1. /*
  2.  * This file is part of dependency-check-core.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.analyzer;

  20. import java.io.File;
  21. import java.io.FileFilter;
  22. import java.io.IOException;
  23. import java.io.UnsupportedEncodingException;
  24. import java.util.ArrayList;
  25. import java.util.Arrays;
  26. import java.util.Collections;
  27. import java.util.List;
  28. import javax.annotation.concurrent.ThreadSafe;
  29. import org.apache.commons.lang3.StringUtils;

  31. import org.owasp.dependencycheck.Engine;
  32. import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
  33. import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
  34. import org.owasp.dependencycheck.data.nvdcve.CveDB;
  35. import org.owasp.dependencycheck.dependency.Dependency;
  36. import org.owasp.dependencycheck.exception.InitializationException;
  37. import org.owasp.dependencycheck.processing.BundlerAuditProcessor;
  38. import org.owasp.dependencycheck.utils.FileFilterBuilder;
  39. import org.owasp.dependencycheck.utils.processing.ProcessReader;
  40. import org.owasp.dependencycheck.utils.Settings;
  41. import org.slf4j.Logger;
  42. import org.slf4j.LoggerFactory;
  43. import us.springett.parsers.cpe.exceptions.CpeValidationException;

  45. /**
  46.  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
  47.  * bundle-audit tool.
  48.  *
  49.  * @author Dale Visser
  50.  */
  51. @ThreadSafe
  52. public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {

  54.     /**
  55.      * The logger.
  56.      */
  57.     private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);

  59.     /**
  60.      * A descriptor for the type of dependencies processed or added by this
  61.      * analyzer.
  62.      */
  63.     public static final String DEPENDENCY_ECOSYSTEM = Ecosystem.RUBY;

  65.     /**
  66.      * The name of the analyzer.
  67.      */
  68.     private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";

  70.     /**
  71.      * The phase that this analyzer is intended to run in.
  72.      */
  73.     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
  74.     /**
  75.      * The filter defining which files will be analyzed.
  76.      */
  77.     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
  78.     /**
  79.      * Name.
  80.      */
  81.     public static final String NAME = "Name: ";
  82.     /**
  83.      * Version.
  84.      */
  85.     public static final String VERSION = "Version: ";
  86.     /**
  87.      * Advisory.
  88.      */
  89.     public static final String ADVISORY = "Advisory: ";
  90.     /**
  91.      * CVE.
  92.      */
  93.     public static final String CVE = "CVE: ";
  94.     /**
  95.      * Criticality.
  96.      */
  97.     public static final String CRITICALITY = "Criticality: ";

  99.     /**
  100.      * The DAL.
  101.      */
  102.     private CveDB cvedb = null;

  104.     /**
  105.      * If {@link #analyzeDependency(Dependency, Engine)} is called, then we have
  106.      * successfully initialized, and it will be necessary to disable
  107.      * {@link RubyGemspecAnalyzer}.
  108.      */
  109.     private boolean needToDisableGemspecAnalyzer = true;

  111.     /**
  112.      * @return a filter that accepts files named Gemfile.lock
  113.      */
  114.     @Override
  115.     protected FileFilter getFileFilter() {
  116.         return FILTER;
  117.     }

  119.     /**
  120.      * Returns the name of the analyzer.
  121.      *
  122.      * @return the name of the analyzer.
  123.      */
  124.     @Override
  125.     public String getName() {
  126.         return ANALYZER_NAME;
  127.     }

  129.     /**
  130.      * Returns the phase that the analyzer is intended to run in.
  131.      *
  132.      * @return the phase that the analyzer is intended to run in.
  133.      */
  134.     @Override
  135.     public AnalysisPhase getAnalysisPhase() {
  136.         return ANALYSIS_PHASE;
  137.     }

  139.     /**
  140.      * Returns the key used in the properties file to reference the analyzer's
  141.      * enabled property.
  142.      *
  143.      * @return the analyzer's enabled property setting key
  144.      */
  145.     @Override
  146.     protected String getAnalyzerEnabledSettingKey() {
  147.         return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
  148.     }

  150.     /**
  151.      * Launch bundle-audit.
  152.      *
  153.      * @param folder directory that contains bundle audit
  154.      * @param bundleAuditArgs the arguments to pass to bundle audit
  155.      * @return a handle to the process
  156.      * @throws AnalysisException thrown when there is an issue launching bundle
  157.      * audit
  158.      */
  159.     private Process launchBundleAudit(File folder, List<String> bundleAuditArgs) throws AnalysisException {
  160.         if (!folder.isDirectory()) {
  161.             throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
  162.         }
  163.         final List<String> args = new ArrayList<>();
  164.         final String bundleAuditPath = getSettings().getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
  165.         File bundleAudit = null;
  166.         if (bundleAuditPath != null) {
  167.             bundleAudit = new File(bundleAuditPath);
  168.             if (!bundleAudit.isFile()) {
  169.                 LOGGER.warn("Supplied `bundleAudit` path is incorrect: {}", bundleAuditPath);
  170.                 bundleAudit = null;
  171.             }
  172.         }
  173.         args.add(bundleAudit != null ? bundleAudit.getAbsolutePath() : "bundle-audit");
  174.         args.addAll(bundleAuditArgs);
  175.         final ProcessBuilder builder = new ProcessBuilder(args);

  177.         final String bundleAuditWorkingDirectoryPath = getSettings().getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY);
  178.         File bundleAuditWorkingDirectory = null;
  179.         if (bundleAuditWorkingDirectoryPath != null) {
  180.             bundleAuditWorkingDirectory = new File(bundleAuditWorkingDirectoryPath);
  181.             if (!bundleAuditWorkingDirectory.isDirectory()) {
  182.                 LOGGER.warn("Supplied `bundleAuditWorkingDirectory` path is incorrect: {}",
  183.                         bundleAuditWorkingDirectoryPath);
  184.                 bundleAuditWorkingDirectory = null;
  185.             }
  186.         }
  187.         final File launchBundleAuditFromDirectory = bundleAuditWorkingDirectory != null ? bundleAuditWorkingDirectory : folder;
  188.         builder.directory(launchBundleAuditFromDirectory);
  189.         try {
  190.             LOGGER.info("Launching: {} from {}", args, launchBundleAuditFromDirectory);
  191.             return builder.start();
  192.         } catch (IOException ioe) {
  193.             throw new AnalysisException("bundle-audit initialization failure; this error "
  194.                     + "can be ignored if you are not analyzing Ruby. Otherwise ensure that "
  195.                     + "bundle-audit is installed and the path to bundle audit is correctly "
  196.                     + "specified", ioe);
  197.         }
  198.     }

  200.     /**
  201.      * Initialize the analyzer.
  202.      *
  203.      * @param engine a reference to the dependency-checkException engine
  204.      * @throws InitializationException if anything goes wrong
  205.      */
  206.     @Override
  207.     public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
  208.         if (engine != null) {
  209.             this.cvedb = engine.getDatabase();
  210.         }
  211.         String bundleAuditVersionDetails = null;
  212.         try {
  213.             final List<String> bundleAuditArgs = Collections.singletonList("version");
  214.             final Process process = launchBundleAudit(getSettings().getTempDirectory(), bundleAuditArgs);
  215.             try (ProcessReader processReader = new ProcessReader(process)) {
  216.                 processReader.readAll();
  217.                 final String error = processReader.getError();
  218.                 if (error != null) {
  219.                     LOGGER.warn("Warnings from bundle-audit {}", error);
  220.                 }
  221.                 bundleAuditVersionDetails = processReader.getOutput();
  222.                 final int exitValue = process.exitValue();
  223.                 if (exitValue != 0) {
  224.                     setEnabled(false);
  225.                     final String msg = String.format("bundle-audit execution failed - "
  226.                             + "exit code: %d; error: %s ", exitValue, error);
  227.                     throw new InitializationException(msg);
  228.                 }
  229.             }
  230.         } catch (AnalysisException ae) {
  231.             setEnabled(false);
  232.             final String msg = String.format("Exception from bundle-audit process: %s. "
  233.                     + "Disabling %s", ae.getCause(), ANALYZER_NAME);
  234.             throw new InitializationException(msg, ae);
  235.         } catch (UnsupportedEncodingException ex) {
  236.             setEnabled(false);
  237.             throw new InitializationException("Unexpected bundle-audit encoding when "
  238.                     + "reading input stream.", ex);
  239.         } catch (IOException ex) {
  240.             setEnabled(false);
  241.             throw new InitializationException("Unable to read bundle-audit output.", ex);
  242.         } catch (InterruptedException ex) {
  243.             setEnabled(false);
  244.             final String msg = String.format("Bundle-audit process was interrupted. "
  245.                     + "Disabling %s", ANALYZER_NAME);
  246.             Thread.currentThread().interrupt();
  247.             throw new InitializationException(msg);
  248.         }
  249.         LOGGER.info("{} is enabled and is using bundle-audit with version details: {}. "
  250.                 + "Note: It is necessary to manually run \"bundle-audit update\" "
  251.                 + "occasionally to keep its database up to date.", ANALYZER_NAME,
  252.                 bundleAuditVersionDetails);
  253.     }

  255.     /**
  256.      * Determines if the analyzer can analyze the given file type.
  257.      *
  258.      * @param dependency the dependency to determine if it can analyze
  259.      * @param engine the dependency-checkException engine
  260.      * @throws AnalysisException thrown if there is an analysis exception.
  261.      */
  262.     @Override
  263.     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
  264.         if (needToDisableGemspecAnalyzer) {
  265.             boolean failed = true;
  266.             final String className = RubyGemspecAnalyzer.class.getName();
  267.             for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
  268.                 if (analyzer instanceof RubyBundlerAnalyzer) {
  269.                     ((RubyBundlerAnalyzer) analyzer).setEnabled(false);
  270.                     LOGGER.info("Disabled {} to avoid noisy duplicate results.",
  271.                             RubyBundlerAnalyzer.class.getName());
  272.                 } else if (analyzer instanceof RubyGemspecAnalyzer) {
  273.                     ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
  274.                     LOGGER.info("Disabled {} to avoid noisy duplicate results.", className);
  275.                     failed = false;
  276.                 }
  277.             }
  278.             needToDisableGemspecAnalyzer = false;
  279.         }
  280.         final File parentFile = dependency.getActualFile().getParentFile();
  281.         final List<String> bundleAuditArgs = Arrays.asList("check", "--verbose");

  283.         final Process process = launchBundleAudit(parentFile, bundleAuditArgs);
  284.         try (BundlerAuditProcessor processor = new BundlerAuditProcessor(dependency, engine);
  285.                 ProcessReader processReader = new ProcessReader(process, processor)) {

  287.             processReader.readAll();
  288.             final String error = processReader.getError();
  289.             if (StringUtils.isNoneBlank(error)) {
  290.                 LOGGER.warn("Warnings from bundle-audit {}", error);
  291.             }
  292.             final int exitValue = process.exitValue();
  293.             if (exitValue < 0 || exitValue > 1) {
  294.                 final String msg = String.format("Unexpected exit code from bundle-audit "
  295.                         + "process; exit code: %s", exitValue);
  296.                 throw new AnalysisException(msg);
  297.             }
  298.         } catch (InterruptedException ie) {
  299.             Thread.currentThread().interrupt();
  300.             throw new AnalysisException("bundle-audit process interrupted", ie);
  301.         } catch (IOException | CpeValidationException ioe) {
  302.             LOGGER.warn("bundle-audit failure", ioe);
  303.             throw new AnalysisException("bunder-audit error: " + ioe.getMessage(), ioe);
  304.         }
  305.     }
  306. }
Created with JaCoCo 0.8.12.202403310830