View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2021 The OWASP Foundation. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.analyzer;
19  
20  import com.github.packageurl.MalformedPackageURLException;
21  import com.github.packageurl.PackageURL;
22  import com.github.packageurl.PackageURLBuilder;
23  import org.owasp.dependencycheck.Engine;
24  import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
25  import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
26  import org.owasp.dependencycheck.dependency.Confidence;
27  import org.owasp.dependencycheck.dependency.Dependency;
28  import org.owasp.dependencycheck.dependency.EvidenceType;
29  import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
30  import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
31  import org.owasp.dependencycheck.utils.Checksum;
32  import org.owasp.dependencycheck.utils.FileFilterBuilder;
33  import org.owasp.dependencycheck.utils.Settings;
34  import org.slf4j.Logger;
35  import org.slf4j.LoggerFactory;
36  
37  import javax.annotation.concurrent.ThreadSafe;
38  import jakarta.json.Json;
39  import jakarta.json.JsonArray;
40  import jakarta.json.JsonObject;
41  import jakarta.json.JsonReader;
42  import java.io.FileFilter;
43  import java.io.IOException;
44  import java.io.InputStream;
45  import java.nio.file.Files;
46  
47  /**
48   * This analyzer is used to analyze the SWIFT Package Resolved
49   * (https://swift.org/package-manager/). It collects information about a package
50   * from Package.resolved files.
51   *
52   * @author Jorge Mendes (https://twitter.com/Jorzze)
53   */
54  @Experimental
55  @ThreadSafe
56  public class SwiftPackageResolvedAnalyzer extends AbstractFileTypeAnalyzer {
57  
58      /**
59       * The logger.
60       */
61      private static final Logger LOGGER = LoggerFactory.getLogger(SwiftPackageResolvedAnalyzer.class);
62  
63      /**
64       * A descriptor for the type of dependencies processed or added by this
65       * analyzer.
66       */
67      public static final String DEPENDENCY_ECOSYSTEM = Ecosystem.IOS;
68  
69      /**
70       * The name of the analyzer.
71       */
72      private static final String ANALYZER_NAME = "SWIFT Package Resolved Analyzer";
73  
74      /**
75       * The phase that this analyzer is intended to run in.
76       */
77      private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
78  
79      /**
80       * The file name to scan.
81       */
82      public static final String SPM_RESOLVED_FILE_NAME = "Package.resolved";
83  
84      /**
85       * Filter that detects files named "Package.resolved".
86       */
87      private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_RESOLVED_FILE_NAME).build();
88  
89      /**
90       * Returns the FileFilter
91       *
92       * @return the FileFilter
93       */
94      @Override
95      protected FileFilter getFileFilter() {
96          return SPM_FILE_FILTER;
97      }
98  
99      @Override
100     protected void prepareFileTypeAnalyzer(Engine engine) {
101         // NO-OP
102     }
103 
104     /**
105      * Returns the name of the analyzer.
106      *
107      * @return the name of the analyzer.
108      */
109     @Override
110     public String getName() {
111         return ANALYZER_NAME;
112     }
113 
114     /**
115      * Returns the phase that the analyzer is intended to run in.
116      *
117      * @return the phase that the analyzer is intended to run in.
118      */
119     @Override
120     public AnalysisPhase getAnalysisPhase() {
121         return ANALYSIS_PHASE;
122     }
123 
124     /**
125      * Returns the key used in the properties file to reference the analyzer's
126      * enabled property.
127      *
128      * @return the analyzer's enabled property setting key
129      */
130     @Override
131     protected String getAnalyzerEnabledSettingKey() {
132         return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED;
133     }
134 
135     @Override
136     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
137         try {
138             engine.removeDependency(dependency);
139             analyzeSpmResolvedDependencies(dependency, engine);
140         } catch (IOException ex) {
141             throw new AnalysisException(
142                     "Problem occurred while reading dependency file: " + dependency.getActualFilePath(), ex);
143         }
144     }
145 
146     /**
147      * Analyzes the Package.resolved file to extract evidence for the
148      * dependency.
149      *
150      * @param spmResolved the dependency to analyze
151      * @param engine the analysis engine
152      * @throws AnalysisException thrown if there is an error analyzing the
153      * dependency
154      */
155     private void analyzeSpmResolvedDependencies(Dependency spmResolved, Engine engine)
156             throws AnalysisException, IOException {
157 
158         try (InputStream in = Files.newInputStream(spmResolved.getActualFile().toPath());
159              JsonReader resolved = Json.createReader(in)) {
160             final JsonObject file = resolved.readObject();
161             final int fileVersion = file.getInt("version");
162 
163             switch (fileVersion) {
164                 case 1:
165                     analyzeSpmResolvedDependenciesV1(spmResolved, engine, file);
166                     break;
167                 case 2:
168                 case 3:
169                     analyzeSpmResolvedDependenciesV2And3(spmResolved, engine, file);
170                     break;
171                 default:
172                     return;
173             }
174         }
175     }
176 
177     /**
178      * Analyzes the version 1 of the Package.resolved file to extract evidence
179      * for the dependency.
180      *
181      * @param spmResolved the dependency to analyze
182      * @param engine the analysis engine
183      * @param resolved the json object of the file to analyze
184      */
185     private void analyzeSpmResolvedDependenciesV1(Dependency spmResolved, Engine engine, JsonObject resolved) {
186         final JsonObject object = resolved.getJsonObject("object");
187         if (object == null) {
188             return;
189         }
190         final JsonArray pins = object.getJsonArray("pins");
191         if (pins == null) {
192             return;
193         }
194         pins.forEach(row -> {
195             final JsonObject pin = (JsonObject) row;
196             final String name = pin.getString("package");
197             final String repo = pin.getString("repositoryURL");
198             String version = null;
199             final JsonObject state = pin.getJsonObject("state");
200             if (state != null) {
201                 if (!state.isNull("version")) {
202                     version = state.getString("version");
203                 } else if (!state.isNull("branch")) {
204                     version = state.getString("branch");
205                 }
206             }
207             final Dependency dependency = createDependency(spmResolved, SPM_RESOLVED_FILE_NAME, name, version, repo);
208             engine.addDependency(dependency);
209         });
210     }
211 
212     /**
213      * Analyzes the versions 2 and 3 of the Package.resolved file to extract evidence
214      * for the dependency.
215      *
216      * @param spmResolved the dependency to analyze
217      * @param engine the analysis engine
218      * @param resolved the json object of the file to analyze
219      */
220     private void analyzeSpmResolvedDependenciesV2And3(Dependency spmResolved, Engine engine, JsonObject resolved) {
221         final JsonArray pins = resolved.getJsonArray("pins");
222         if (pins == null) {
223             return;
224         }
225         pins.forEach(row -> {
226             final JsonObject pin = (JsonObject) row;
227             final String name = pin.getString("identity");
228             final String repo = pin.getString("location");
229             String version = null;
230             final JsonObject state = pin.getJsonObject("state");
231             if (state != null) {
232                 if (state.containsKey("version")
233                         && !state.isNull("version")
234                         && !state.getString("version").isEmpty()) {
235                     version = state.getString("version");
236                 } else if (state.containsKey("branch") && !state.isNull("branch")) {
237                     version = state.getString("branch");
238                 }
239             }
240             final Dependency dependency = createDependency(spmResolved, SPM_RESOLVED_FILE_NAME, name, version, repo);
241             engine.addDependency(dependency);
242         });
243     }
244 
245     /**
246      * Creates a dependency object.
247      *
248      * @param parent the parent dependency
249      * @param source the source type
250      * @param name the name of the dependency
251      * @param version the version of the dependency
252      * @param repo the repository URL of the dependency
253      * @return the newly created dependency object
254      */
255     private Dependency createDependency(Dependency parent, String source, final String name, String version, String repo) {
256         final Dependency dependency = new Dependency(parent.getActualFile(), true);
257         dependency.setEcosystem(DEPENDENCY_ECOSYSTEM);
258         dependency.setName(name);
259         dependency.setVersion(version);
260         final String packagePath = String.format("%s:%s", name, version);
261         dependency.setPackagePath(packagePath);
262         dependency.setDisplayFileName(packagePath);
263         dependency.setSha1sum(Checksum.getSHA1Checksum(packagePath));
264         dependency.setSha256sum(Checksum.getSHA256Checksum(packagePath));
265         dependency.setMd5sum(Checksum.getMD5Checksum(packagePath));
266         dependency.addEvidence(EvidenceType.VENDOR, source, "name", name, Confidence.HIGHEST);
267         dependency.addEvidence(EvidenceType.PRODUCT, source, "name", name, Confidence.HIGHEST);
268         dependency.addEvidence(EvidenceType.VENDOR, source, "repositoryUrl", repo, Confidence.HIGH);
269         dependency.addEvidence(EvidenceType.PRODUCT, source, "repositoryUrl", repo, Confidence.HIGH);
270         dependency.addEvidence(EvidenceType.VERSION, source, "version", version, Confidence.HIGHEST);
271         try {
272             final PackageURLBuilder builder = PackageURLBuilder.aPackageURL().withType("swift").withName(dependency.getName());
273             if (dependency.getVersion() != null) {
274                 builder.withVersion(dependency.getVersion());
275             }
276             final PackageURL purl = builder.build();
277             dependency.addSoftwareIdentifier(new PurlIdentifier(purl, Confidence.HIGHEST));
278         } catch (MalformedPackageURLException ex) {
279             LOGGER.debug("Unable to build package url for swift dependency", ex);
280             final GenericIdentifier id;
281             if (dependency.getVersion() != null) {
282                 id = new GenericIdentifier("swift:" + dependency.getName() + "@" + dependency.getVersion(), Confidence.HIGHEST);
283             } else {
284                 id = new GenericIdentifier("swift:" + dependency.getName(), Confidence.HIGHEST);
285             }
286             dependency.addSoftwareIdentifier(id);
287         }
288         return dependency;
289     }
290 }