1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.owasp.dependencycheck.data.artifactory;
19
20 import java.io.FileNotFoundException;
21 import java.io.IOException;
22 import java.io.InputStreamReader;
23 import java.net.HttpURLConnection;
24 import java.net.MalformedURLException;
25 import java.net.URL;
26 import java.nio.charset.StandardCharsets;
27 import java.util.ArrayList;
28 import java.util.Base64;
29 import java.util.List;
30 import java.util.UUID;
31 import java.util.regex.Matcher;
32 import java.util.regex.Pattern;
33
34 import javax.annotation.concurrent.ThreadSafe;
35
36 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
37 import org.owasp.dependencycheck.dependency.Dependency;
38 import org.owasp.dependencycheck.utils.Checksum;
39 import org.owasp.dependencycheck.utils.InvalidSettingException;
40 import org.owasp.dependencycheck.utils.Settings;
41 import org.owasp.dependencycheck.utils.URLConnectionFactory;
42 import org.slf4j.Logger;
43 import org.slf4j.LoggerFactory;
44
45 import com.fasterxml.jackson.core.JsonParser;
46 import com.fasterxml.jackson.databind.DeserializationFeature;
47 import com.fasterxml.jackson.databind.ObjectMapper;
48 import com.fasterxml.jackson.databind.ObjectReader;
49
50
51
52
53
54
55
56
57
58 @ThreadSafe
59 @SuppressWarnings("squid:S2647")
60 public class ArtifactorySearch {
61
62
63
64
65 private static final Logger LOGGER = LoggerFactory.getLogger(ArtifactorySearch.class);
66
67
68
69
70 private static final Pattern PATH_PATTERN = Pattern.compile("^/(?<groupId>.+)/(?<artifactId>[^/]+)/(?<version>[^/]+)/[^/]+$");
71
72
73
74 private static final String WHILE_ACTUAL_IS = " while actual is ";
75
76
77
78 private final String rootURL;
79
80
81
82
83 private final boolean useProxy;
84
85
86
87
88 private final Settings settings;
89
90
91
92
93 private final ObjectReader objectReader;
94
95
96
97
98
99
100 public ArtifactorySearch(Settings settings) {
101 this.settings = settings;
102
103 final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_ARTIFACTORY_URL);
104
105 this.rootURL = searchUrl;
106 LOGGER.debug("Artifactory Search URL {}", searchUrl);
107
108 if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
109 boolean useProxySettings = false;
110 try {
111 useProxySettings = settings.getBoolean(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY);
112 } catch (InvalidSettingException e) {
113 LOGGER.error("Settings {} is invalid, only, true/false is valid", Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, e);
114 }
115 this.useProxy = useProxySettings;
116 LOGGER.debug("Using proxy? {}", useProxy);
117 } else {
118 useProxy = false;
119 LOGGER.debug("Not using proxy");
120 }
121
122 objectReader = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).readerFor(FileImpl.class);
123 }
124
125
126
127
128
129
130
131
132
133
134
135
136 public List<MavenArtifact> search(Dependency dependency) throws IOException {
137
138 final String sha1sum = dependency.getSha1sum();
139 final URL url = buildUrl(sha1sum);
140 final HttpURLConnection conn = connect(url);
141 final int responseCode = conn.getResponseCode();
142 if (responseCode == 200) {
143 return processResponse(dependency, conn);
144 }
145 throw new IOException("Could not connect to Artifactory " + url + " (" + responseCode + "): " + conn.getResponseMessage());
146
147 }
148
149
150
151
152
153
154
155
156 private HttpURLConnection connect(URL url) throws IOException {
157 LOGGER.debug("Searching Artifactory url {}", url);
158
159
160
161
162
163 final URLConnectionFactory factory = new URLConnectionFactory(settings);
164 final HttpURLConnection conn = factory.createHttpURLConnection(url, useProxy);
165 conn.setDoOutput(true);
166
167 conn.addRequestProperty("X-Result-Detail", "info");
168
169 final String username = settings.getString(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME);
170 final String apiToken = settings.getString(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN);
171 if (username != null && apiToken != null) {
172 final String userpassword = username + ":" + apiToken;
173 final String encodedAuthorization = Base64.getEncoder().encodeToString(userpassword.getBytes(StandardCharsets.UTF_8));
174 conn.addRequestProperty("Authorization", "Basic " + encodedAuthorization);
175 } else {
176 final String bearerToken = settings.getString(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN);
177 if (bearerToken != null) {
178 conn.addRequestProperty("Authorization", "Bearer " + bearerToken);
179 }
180 }
181
182 conn.connect();
183 return conn;
184 }
185
186
187
188
189
190
191
192
193 private URL buildUrl(String sha1sum) throws MalformedURLException {
194
195
196 return new URL(rootURL + "/api/search/checksum?sha1=" + sha1sum);
197 }
198
199
200
201
202
203
204
205
206
207 protected List<MavenArtifact> processResponse(Dependency dependency, HttpURLConnection conn) throws IOException {
208 final List<MavenArtifact> result = new ArrayList<>();
209
210 try (InputStreamReader streamReader = new InputStreamReader(conn.getInputStream(), StandardCharsets.UTF_8);
211 JsonParser parser = objectReader.getFactory().createParser(streamReader)) {
212
213 if (init(parser) && parser.nextToken() == com.fasterxml.jackson.core.JsonToken.START_OBJECT) {
214
215 do {
216 final FileImpl file = objectReader.readValue(parser);
217
218 checkHashes(dependency, file.getChecksums());
219
220 final Matcher pathMatcher = PATH_PATTERN.matcher(file.getPath());
221 if (!pathMatcher.matches()) {
222 throw new IllegalStateException("Cannot extract the Maven information from the path "
223 + "retrieved in Artifactory " + file.getPath());
224 }
225
226 final String groupId = pathMatcher.group("groupId").replace('/', '.');
227 final String artifactId = pathMatcher.group("artifactId");
228 final String version = pathMatcher.group("version");
229
230 result.add(new MavenArtifact(groupId, artifactId, version, file.getDownloadUri(),
231 MavenArtifact.derivePomUrl(artifactId, version, file.getDownloadUri())));
232
233 } while (parser.nextToken() == com.fasterxml.jackson.core.JsonToken.START_OBJECT);
234 } else {
235 throw new FileNotFoundException("Artifact " + dependency + " not found in Artifactory");
236 }
237 }
238
239 return result;
240 }
241
242 protected boolean init(JsonParser parser) throws IOException {
243 com.fasterxml.jackson.core.JsonToken nextToken = parser.nextToken();
244 if (nextToken != com.fasterxml.jackson.core.JsonToken.START_OBJECT) {
245 throw new IOException("Expected " + com.fasterxml.jackson.core.JsonToken.START_OBJECT + ", got " + nextToken);
246 }
247
248 do {
249 nextToken = parser.nextToken();
250 if (nextToken == null) {
251 break;
252 }
253
254 if (nextToken.isStructStart()) {
255 if (nextToken == com.fasterxml.jackson.core.JsonToken.START_ARRAY && "results".equals(parser.currentName())) {
256 return true;
257 } else {
258 parser.skipChildren();
259 }
260 }
261 } while (true);
262
263 return false;
264 }
265
266
267
268
269
270
271
272
273
274 private void checkHashes(Dependency dependency, ChecksumsImpl checksums) throws FileNotFoundException {
275 final String md5sum = dependency.getMd5sum();
276 if (!checksums.getMd5().equals(md5sum)) {
277 throw new FileNotFoundException("Artifact found by API is not matching the md5 "
278 + "of the artifact (repository hash is " + checksums.getMd5() + WHILE_ACTUAL_IS + md5sum + ") !");
279 }
280 final String sha1sum = dependency.getSha1sum();
281 if (!checksums.getSha1().equals(sha1sum)) {
282 throw new FileNotFoundException("Artifact found by API is not matching the SHA1 "
283 + "of the artifact (repository hash is " + checksums.getSha1() + WHILE_ACTUAL_IS + sha1sum + ") !");
284 }
285 final String sha256sum = dependency.getSha256sum();
286 if (checksums.getSha256() != null && !checksums.getSha256().equals(sha256sum)) {
287 throw new FileNotFoundException("Artifact found by API is not matching the SHA-256 "
288 + "of the artifact (repository hash is " + checksums.getSha256() + WHILE_ACTUAL_IS + sha256sum + ") !");
289 }
290 }
291
292
293
294
295
296
297
298
299 public boolean preflightRequest() {
300 try {
301 final URL url = buildUrl(Checksum.getSHA1Checksum(UUID.randomUUID().toString()));
302 final HttpURLConnection connection = connect(url);
303 if (connection.getResponseCode() != 200) {
304 LOGGER.warn("Expected 200 result from Artifactory ({}), got {}", url, connection.getResponseCode());
305 return false;
306 }
307 return true;
308 } catch (IOException e) {
309 LOGGER.error("Cannot connect to Artifactory", e);
310 return false;
311 }
312
313 }
314 }