dr-source 0.70.0__tar.gz

dr_source-0.70.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Paolo Perego
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

dr_source-0.70.0/PKG-INFO

@@ -0,0 +1,130 @@
+Metadata-Version: 2.2
+Name: dr_source
+Version: 0.70.0
+Summary: Java and JSP Vulnerability Static Analyzer
+Author: Paolo Perego
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click
+Requires-Dist: javalang
+Requires-Dist: beautifulsoup4
+Requires-Dist: scikit-learn
+Requires-Dist: PyYAML
+Dynamic: author
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: requires-dist
+Dynamic: summary
+
+# DRSource
+
+DRSource is a static analysis tool designed to detect vulnerabilities in Java and JSP projects. It combines multiple detection techniques—including regex‑based detection and AST‑based taint propagation analysis—to identify security issues such as SQL Injection, Cross‑Site Scripting (XSS), Path Traversal, Command Injection, Serialization Issues, LDAP Injection, XXE, SSRF, and unsafe cryptographic/hashing functions.
+
+## Features
+
+- **Regex‑Based Detection**  
+  Utilizes carefully crafted regular expressions to identify known vulnerability patterns in source code.
+
+- **AST‑Based Taint Analysis**  
+  Leverages [javalang](https://github.com/c2nes/javalang) to parse Java source files into an Abstract Syntax Tree (AST) and performs forward data‑flow analysis to propagate taint from user input sources (e.g., `request.getParameter`) to sensitive sinks (e.g., `executeQuery`).
+
+- **Data‑Flow Analysis Framework**  
+  A simplified yet robust framework that tracks tainted variables through declarations and assignments to flag dangerous data flows.
+
+- **Multi‑Detector Support**  
+  Detects various vulnerabilities including:
+  - SQL Injection
+  - Cross‑Site Scripting (XSS)
+  - Path Traversal
+  - Command Injection
+  - Serialization Issues
+  - LDAP Injection
+  - XXE (XML External Entity) Attacks
+  - SSRF (Server-Side Request Forgery)
+  - Unsafe Crypto/Hashing functions
+
+- **Parallel Scanning & Progress Bar**  
+  Files are scanned in parallel with a progress bar for faster analysis on large codebases.
+
+- **Robust CLI**  
+  The command‑line interface offers options to:
+  - Initialize the database (`--init-db`)
+  - View scan history (`--history`)
+  - Compare scans (`--compare`)
+  - Export results in SARIF, JSON, or HTML formats (`--export`)
+  - Enable AST‑based detection (`--ast`)
+  - Enable debug logging (`--debug`)
+  - Display version information (`--version`)
+
+## Installation
+
+Clone the repository and navigate to the project root:
+
+```bash
+git clone https://github.com/thesp0nge/dr_source.git
+cd dr_source
+```
+
+Install the package in editable mode:
+
+```bash
+pip install --editable .
+```
+
+## Usage
+
+Run dr_source using the CLI:
+
+```bash
+dr_source [OPTIONS] TARGET_PATH
+```
+
+### Options
+
+- TARGET_PATH: The path of the codebase (directory containing Java/JSP files) to analyze.
+- --init-db: Initialize the database from scratch (drops and recreates tables).
+- --history: Display the scan history for the project.
+- --compare <ID>: Compare the latest scan with a previous scan specified by ID.
+- --export [sarif|json|html]: Export scan results in the specified format.
+- --ast: Enable AST‑based detection (in addition to regex‑based detection).
+- --debug: Enable debug logging.
+- --version: Show DRSource version (as defined in setup.py) and exit.
+
+### Examples
+
+- Scan a Codebase Using AST‑Based Detection with Debug Logging:
+
+```bash
+dr_source --ast --debug /path/to/codebase
+```
+
+- Initialize the Database:
+
+```bash
+dr_source --init-db /path/to/codebase
+```
+
+- Export Results as SARIF:
+
+```bash
+dr_source --export sarif /path/to/codebase
+```
+
+## Contributing
+
+Contributions are welcome! To contribute:
+
+- Fork the repository.
+- Create a new branch for your feature or bugfix.
+- Make your changes with clear commit messages.
+- Submit a pull request for review.
+- For major changes, please open an issue first to discuss your proposed changes.
+
+## License
+
+dr_source is licensed under the MIT License.
+
+## Acknowledgments
+
+Special thanks to the maintainers of [javalang](https://github.com/c2nes/javalang) for their work on Java AST parsing.
+Inspired by various static analysis and security tools.

dr_source-0.70.0/README.md

@@ -0,0 +1,112 @@
+# DRSource
+
+DRSource is a static analysis tool designed to detect vulnerabilities in Java and JSP projects. It combines multiple detection techniques—including regex‑based detection and AST‑based taint propagation analysis—to identify security issues such as SQL Injection, Cross‑Site Scripting (XSS), Path Traversal, Command Injection, Serialization Issues, LDAP Injection, XXE, SSRF, and unsafe cryptographic/hashing functions.
+
+## Features
+
+- **Regex‑Based Detection**  
+  Utilizes carefully crafted regular expressions to identify known vulnerability patterns in source code.
+
+- **AST‑Based Taint Analysis**  
+  Leverages [javalang](https://github.com/c2nes/javalang) to parse Java source files into an Abstract Syntax Tree (AST) and performs forward data‑flow analysis to propagate taint from user input sources (e.g., `request.getParameter`) to sensitive sinks (e.g., `executeQuery`).
+
+- **Data‑Flow Analysis Framework**  
+  A simplified yet robust framework that tracks tainted variables through declarations and assignments to flag dangerous data flows.
+
+- **Multi‑Detector Support**  
+  Detects various vulnerabilities including:
+  - SQL Injection
+  - Cross‑Site Scripting (XSS)
+  - Path Traversal
+  - Command Injection
+  - Serialization Issues
+  - LDAP Injection
+  - XXE (XML External Entity) Attacks
+  - SSRF (Server-Side Request Forgery)
+  - Unsafe Crypto/Hashing functions
+
+- **Parallel Scanning & Progress Bar**  
+  Files are scanned in parallel with a progress bar for faster analysis on large codebases.
+
+- **Robust CLI**  
+  The command‑line interface offers options to:
+  - Initialize the database (`--init-db`)
+  - View scan history (`--history`)
+  - Compare scans (`--compare`)
+  - Export results in SARIF, JSON, or HTML formats (`--export`)
+  - Enable AST‑based detection (`--ast`)
+  - Enable debug logging (`--debug`)
+  - Display version information (`--version`)
+
+## Installation
+
+Clone the repository and navigate to the project root:
+
+```bash
+git clone https://github.com/thesp0nge/dr_source.git
+cd dr_source
+```
+
+Install the package in editable mode:
+
+```bash
+pip install --editable .
+```
+
+## Usage
+
+Run dr_source using the CLI:
+
+```bash
+dr_source [OPTIONS] TARGET_PATH
+```
+
+### Options
+
+- TARGET_PATH: The path of the codebase (directory containing Java/JSP files) to analyze.
+- --init-db: Initialize the database from scratch (drops and recreates tables).
+- --history: Display the scan history for the project.
+- --compare <ID>: Compare the latest scan with a previous scan specified by ID.
+- --export [sarif|json|html]: Export scan results in the specified format.
+- --ast: Enable AST‑based detection (in addition to regex‑based detection).
+- --debug: Enable debug logging.
+- --version: Show DRSource version (as defined in setup.py) and exit.
+
+### Examples
+
+- Scan a Codebase Using AST‑Based Detection with Debug Logging:
+
+```bash
+dr_source --ast --debug /path/to/codebase
+```
+
+- Initialize the Database:
+
+```bash
+dr_source --init-db /path/to/codebase
+```
+
+- Export Results as SARIF:
+
+```bash
+dr_source --export sarif /path/to/codebase
+```
+
+## Contributing
+
+Contributions are welcome! To contribute:
+
+- Fork the repository.
+- Create a new branch for your feature or bugfix.
+- Make your changes with clear commit messages.
+- Submit a pull request for review.
+- For major changes, please open an issue first to discuss your proposed changes.
+
+## License
+
+dr_source is licensed under the MIT License.
+
+## Acknowledgments
+
+Special thanks to the maintainers of [javalang](https://github.com/c2nes/javalang) for their work on Java AST parsing.
+Inspired by various static analysis and security tools.

dr_source-0.70.0/bin/dr_source

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+"""
+DRSource - Main executable script
+
+Usage:
+    dr_source [OPTIONS] TARGET_PATH
+
+This script launches the DRSource CLI.
+"""
+
+import os
+import sys
+
+# Add the project root to the sys.path so that "dr_source" can be imported.
+current_dir = os.path.dirname(os.path.abspath(__file__))
+project_root = os.path.abspath(os.path.join(current_dir, ".."))
+sys.path.insert(0, project_root)
+
+try:
+    from dr_source.cli import main
+except ModuleNotFoundError as e:
+    sys.exit(
+        f"Error: {e}\nMake sure the package is installed or that your PYTHONPATH includes the project root."
+    )
+
+if __name__ == "__main__":
+    sys.exit(main())

dr_source-0.70.0/dr_source/cli.py

@@ -0,0 +1,172 @@
+#!/usr/bin/env python3
+import click
+import time
+import os
+import json
+from dr_source.core.codebase import Codebase
+from dr_source.core.scanner import Scanner
+from dr_source.core.db import ScanDatabase
+from dr_source.logging import setup_logging
+
+# Use importlib.metadata to get version information from the installed package
+try:
+    from importlib.metadata import version as get_version
+except ImportError:
+    from importlib_metadata import version as get_version
+
+
+@click.command(context_settings=dict(ignore_unknown_options=True))
+@click.argument("target_path", required=False, type=click.Path(exists=True))
+@click.option("--init-db", is_flag=True, help="Initialize the database from scratch.")
+@click.option("--history", is_flag=True, help="Show the scan history for this project.")
+@click.option(
+    "--compare", type=int, help="Compare the latest scan with the scan specified by ID."
+)
+@click.option(
+    "--export",
+    type=click.Choice(["sarif", "json", "html"]),
+    help="Export results in the specified format.",
+)
+@click.option("--verbose", is_flag=True, help="Show detailed output during comparison.")
+@click.option(
+    "--output",
+    type=click.Path(),
+    help="Output file for the exported report (if not specified, a default name is used).",
+)
+@click.option("--debug", is_flag=True, help="Enable debug logging.")
+@click.option(
+    "--version", "show_version", is_flag=True, help="Show DRSource version and exit."
+)
+@click.option(
+    "--ast", is_flag=True, help="Enable AST-based detection (instead of regex-based)."
+)
+def main(
+    target_path,
+    init_db,
+    history,
+    compare,
+    export,
+    verbose,
+    output,
+    debug,
+    show_version,
+    ast,
+):
+    """
+    DRSource - A static analysis tool for detecting vulnerabilities in Java/JSP projects.
+
+    TARGET_PATH is the path of the codebase to analyze.
+    """
+    if show_version:
+        try:
+            pkg_version = get_version("dr_source")
+        except Exception:
+            pkg_version = "unknown"
+        click.echo(f"DRSource version {pkg_version}")
+        return
+
+    setup_logging(debug=debug)
+
+    # Enforce target_path if not provided for non--version operations
+    if not target_path:
+        ctx = click.get_current_context()
+        ctx.fail("Missing argument 'TARGET_PATH'.")
+
+    project_name = os.path.basename(os.path.abspath(target_path))
+    db = ScanDatabase(project_name)
+
+    if init_db:
+        click.echo("🔄 Initializing the database...")
+        db.initialize()
+        click.echo("✅ Database initialized successfully.")
+        return
+
+    if history:
+        click.echo(f"\n📌 Scan history for '{project_name}':")
+        history_records = db.get_scan_history()
+        if not history_records:
+            click.echo("🔍 No scan history found for this project.")
+        else:
+            for scan in history_records:
+                click.echo(
+                    f"[{scan[1]}] ID {scan[0]} | Vulnerabilities found: {scan[2]}"
+                )
+        return
+
+    if compare:
+        latest_scan_id = db.get_latest_scan_id()
+        if not latest_scan_id:
+            click.echo("❌ No scan history available.")
+            return
+        click.echo(f"🔍 Comparing scan {compare} with latest scan {latest_scan_id}...")
+        comparison = db.compare_scans(compare, latest_scan_id)
+        click.echo(f"📌 New vulnerabilities: {len(comparison['new'])}")
+        click.echo(f"✅ Resolved: {len(comparison['resolved'])}")
+        click.echo(f"⚠️ Persistent: {len(comparison['persistent'])}")
+        if verbose:
+            if comparison["new"]:
+                click.echo("\n🆕 New vulnerabilities:")
+                for vuln in comparison["new"]:
+                    click.echo(f"  - {vuln}")
+            if comparison["resolved"]:
+                click.echo("\n✅ Resolved vulnerabilities:")
+                for vuln in comparison["resolved"]:
+                    click.echo(f"  - {vuln}")
+            if comparison["persistent"]:
+                click.echo("\n⚠️ Persistent vulnerabilities:")
+                for vuln in comparison["persistent"]:
+                    click.echo(f"  - {vuln}")
+        return
+
+    start_time = time.time()
+    click.echo(f"🔍 Starting scan on {target_path}...")
+
+    if ast:
+        click.echo("🔎 Using AST-based detection mode.")
+    else:
+        click.echo("🔎 Using regex-based detection mode.")
+
+    codebase = Codebase(target_path)
+    codebase.load_files()
+
+    scanner = Scanner(codebase, ast_mode=ast)
+    # Use a progress bar while scanning files in parallel (implemented in scanner.scan)
+    results = scanner.scan()
+
+    scan_duration = time.time() - start_time
+    num_files = len(codebase.files)
+    num_vulns = len(results)
+
+    click.echo(
+        f"\n✅ Scan completed: {num_files} files analyzed, {num_vulns} vulnerabilities found in {scan_duration:.2f} seconds."
+    )
+
+    scan_id = db.start_scan()
+    db.store_vulnerabilities(scan_id, results)
+    db.update_scan_summary(scan_id, num_vulns, num_files, scan_duration)
+
+    if export:
+        out_file = output if output else f"{project_name}_scan_{scan_id}.{export}"
+        if export == "sarif":
+            from dr_source.reports.sarif import SARIFReport
+
+            reporter = SARIFReport()
+            report_content = reporter.generate(results)
+            with open(out_file, "w") as f:
+                f.write(report_content)
+            click.echo(f"📄 Results exported to {out_file}")
+        elif export == "json":
+            with open(out_file, "w") as f:
+                json.dump(results, f, indent=2)
+            click.echo(f"📄 Results exported to {out_file}")
+        elif export == "html":
+            click.echo("📄 HTML export not yet implemented.")
+    else:
+        for res in results:
+            click.echo(
+                f"[{res['vuln_type']}] {res['file']}:{res['line']} -> {res['match']}"
+            )
+
+
+if __name__ == "__main__":
+    main()

dr_source-0.70.0/dr_source/core/codebase.py

@@ -0,0 +1,29 @@
+# dr_source/core/codebase.py
+import os
+
+
+class FileObject:
+    def __init__(self, path, content):
+        self.path = path
+        self.content = content
+
+
+class Codebase:
+    def __init__(self, root_path):
+        self.root_path = root_path
+        self.files = []
+
+    def load_files(self):
+        for root, _, files in os.walk(self.root_path):
+            for file in files:
+                if file.endswith(".java") or file.endswith(".jsp"):
+                    file_path = os.path.join(root, file)
+                    try:
+                        with open(
+                            file_path, "r", encoding="utf-8", errors="ignore"
+                        ) as f:
+                            content = f.read()
+                        self.files.append(FileObject(file_path, content))
+                    except Exception as e:
+                        print(f"Error reading {file_path}: {e}")
+        return self.files