ds-server-lib 6.0.0b4__py3-none-any.whl

ds_server_lib-6.0.0b4.dist-info/METADATA

@@ -0,0 +1,30 @@
+Metadata-Version: 2.4
+Name: ds-server-lib
+Version: 6.0.0b4
+Summary: Server library for owasp depscan
+Author-email: Team AppThreat <cloud@appthreat.com>
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/owasp-dep-scan/dep-scan
+Project-URL: Bug-Tracker, https://github.com/owasp-dep-scan/dep-scan/issues
+Project-URL: Funding, https://owasp.org/donate/?reponame=www-project-dep-scan&title=OWASP+depscan
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Utilities
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: appthreat-vulnerability-db>=6.4.4
+Requires-Dist: custom-json-diff>=2.1.6
+Requires-Dist: quart>=0.20.0
+Requires-Dist: rich>=13.9.4
+Requires-Dist: ds-analysis-lib
+Provides-Extra: dev
+Requires-Dist: pytest>=8.3.4; extra == "dev"
+Requires-Dist: pytest-asyncio>=1.2.0; extra == "dev"
+Requires-Dist: pytest-cov>=6.0.0; extra == "dev"

ds_server_lib-6.0.0b4.dist-info/RECORD

@@ -0,0 +1,6 @@
+server_lib/__init__.py,sha256=ws_ZqTtj9Gz593MUBx4bS3xPaFsPCZcq5Be4Aee-_XE,685
+server_lib/simple.py,sha256=mtP2HT927EqqkhHfb7YWryRLzh2sX8S6WRJn-7MCOZE,11380
+ds_server_lib-6.0.0b4.dist-info/METADATA,sha256=Xev5RiLR16P9JVyUlK6O2UEa5BISW8KWQ3VpKdFRWQM,1290
+ds_server_lib-6.0.0b4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+ds_server_lib-6.0.0b4.dist-info/top_level.txt,sha256=ckgyBsWNEmm2AP_zSy5Qb0ktxCsRt9jSiPwC897x9Po,11
+ds_server_lib-6.0.0b4.dist-info/RECORD,,

ds_server_lib-6.0.0b4.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.9.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

ds_server_lib-6.0.0b4.dist-info/top_level.txt

@@ -0,0 +1 @@
+server_lib

server_lib/__init__.py

@@ -0,0 +1,22 @@
+from dataclasses import dataclass
+from typing import Callable, Dict, List, Optional
+from logging import Logger
+from rich.console import Console
+
+
+@dataclass
+class ServerOptions:
+    server_host: str = "127.0.0.1"
+    server_port: int = 7070
+    cdxgen_server: Optional[str] = None
+    allowed_hosts: Optional[List[str]] = None
+    allowed_paths: Optional[List[str]] = None
+    console: Optional[Console] = None
+    logger: Optional[Logger] = None
+    ca_certs: Optional[str] = None
+    certfile: Optional[str] = None
+    keyfile: Optional[str] = None
+    debug: bool = False
+    max_content_length: int = 100 * 1024 * 1024  # 100MB
+    # Hack
+    create_bom: Optional[Callable] = None

server_lib/simple.py

@@ -0,0 +1,316 @@
+import os
+
+from quart import request, Quart
+import tempfile
+
+from analysis_lib import VdrAnalysisKV
+from analysis_lib.vdr import VDRAnalyzer
+from server_lib import ServerOptions
+
+app = Quart(f"dep-scan server ({__name__})", static_folder=None)
+app.config.from_prefixed_env(prefix="DEPSCAN_SERVER")
+app.config["PROVIDE_AUTOMATIC_OPTIONS"] = True
+
+
+def get_allowed_git_schemes(default_schemes=None):
+    if default_schemes is None:
+        default_schemes = {"http", "https", "git", "git+http", "git+https"}
+    env_var_value = os.getenv("DEPSCAN_SERVER_ALLOWED_GIT_SCHEMES")
+    if env_var_value is not None:
+        return {scheme.strip() for scheme in env_var_value.split(",") if scheme.strip()}
+    return default_schemes
+
+
+allowed_git_schemes = get_allowed_git_schemes()
+
+
+@app.get("/")
+async def index():
+    """
+    :return: An empty dictionary
+    """
+    return {}
+
+
+@app.before_request
+async def enforce_allowlists():
+    LOG = app.config.get("LOGGER_INSTANCE")
+    is_testing = bool(os.getenv("PYTEST_CURRENT_TEST"))
+    if is_testing:
+        client_host = request.headers.get("X-Test-Remote-Addr")
+    else:
+        client_host = request.remote_addr
+    allowed_hosts = app.config.get("ALLOWED_HOSTS")
+    if allowed_hosts is not None:
+        if not client_host or client_host not in allowed_hosts:
+            if LOG:
+                LOG.warning(f"Blocked request from unauthorized host: {client_host}")
+            return {"error": "true", "message": "Host not allowed"}, 403
+    if request.path == "/scan":
+        allowed_paths = app.config.get("ALLOWED_PATHS")
+        if allowed_paths is not None:
+            path = None
+            if request.args.get("path"):
+                path = request.args.get("path")
+            elif request.method == "POST":
+                json_data = await request.get_json(silent=True)
+                if json_data and "path" in json_data:
+                    path = json_data["path"]
+            if path:
+                try:
+                    real_path = os.path.realpath(path)
+                    if not any(
+                        real_path.startswith(os.path.realpath(a)) for a in allowed_paths
+                    ):
+                        if LOG:
+                            LOG.warning(f"Blocked request for path: {path}")
+                        return {"error": "true", "message": "Path not allowed"}, 403
+                except (OSError, ValueError):
+                    return {"error": "true", "message": "Invalid path"}, 403
+
+
+@app.after_request
+async def add_security_headers(response):
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "SAMEORIGIN"
+    response.headers["X-XSS-Protection"] = "1; mode=block"
+    response.headers["Strict-Transport-Security"] = (
+        "max-age=31536000; includeSubDomains"
+    )
+    return response
+
+
+@app.route("/scan", methods=["GET", "POST"])
+async def run_scan():
+    """
+    :return: A JSON response containing the SBOM file path and a list of
+    vulnerabilities found in the scanned packages
+    """
+    LOG = app.config.get("LOGGER_INSTANCE")
+    q = request.args
+    params = await request.get_json()
+    uploaded_bom_file = await request.files
+    create_bom = app.config.get("create_bom")
+    url = None
+    path = None
+    multi_project = None
+    project_type = None
+    results = []
+    profile = "generic"
+    deep = False
+    suggest_mode = True if q.get("suggest") in ("true", "1") else False
+    fuzzy_search = True if q.get("fuzzy_search") in ("true", "1") else False
+    if q.get("url"):
+        url = q.get("url")
+    if q.get("path"):
+        path = q.get("path")
+    if q.get("multiProject"):
+        multi_project = q.get("multiProject", "").lower() in ("true", "1")
+    if q.get("deep"):
+        deep = q.get("deep", "").lower() in ("true", "1")
+    if q.get("type"):
+        project_type = q.get("type")
+    if q.get("profile"):
+        profile = q.get("profile")
+    if params is not None:
+        if not url and params.get("url"):
+            url = params.get("url")
+        if not path and params.get("path"):
+            path = params.get("path")
+        if not multi_project and params.get("multiProject"):
+            multi_project = params.get("multiProject", "").lower() in (
+                "true",
+                "1",
+            )
+        if not deep and params.get("deep"):
+            deep = params.get("deep", "").lower() in (
+                "true",
+                "1",
+            )
+        if not project_type and params.get("type"):
+            project_type = params.get("type")
+        if not profile and params.get("profile"):
+            profile = params.get("profile")
+
+    if not path and not url and (uploaded_bom_file.get("file", None) is None):
+        return {
+            "error": "true",
+            "message": "path or url or a bom file upload is required",
+        }, 400
+    if not project_type:
+        return {"error": "true", "message": "project type is required"}, 400
+    cdxgen_server = app.config.get("CDXGEN_SERVER_URL")
+    bom_file_path = None
+    tmp_bom_file = None
+    if uploaded_bom_file.get("file", None) is not None:
+        bom_file = uploaded_bom_file["file"]
+        bom_file_suffix = str(bom_file.filename).rsplit(".", maxsplit=1)[-1]
+        if bom_file_suffix not in (".json", ".cdx", ".bom"):
+            return (
+                {
+                    "error": "true",
+                    "message": "The uploaded file must be a valid JSON.",
+                },
+                400,
+                {"Content-Type": "application/json"},
+            )
+        bom_file_content = bom_file.read().decode("utf-8")
+        try:
+            _ = json.loads(bom_file_content)
+            if (
+                not isinstance(bom_data, dict)
+                or bom_data.get("bomFormat") != "CycloneDX"
+            ):
+                return {
+                    "error": "true",
+                    "message": "Uploaded file is not a valid CycloneDX BOM.",
+                }, 400
+        except (json.JSONDecodeError, KeyError):
+            return (
+                {
+                    "error": "true",
+                    "message": "The uploaded file must be a valid JSON.",
+                },
+                400,
+                {"Content-Type": "application/json"},
+            )
+        if LOG:
+            LOG.debug("Processing uploaded file")
+        tmp_bom_file = tempfile.NamedTemporaryFile(
+            delete=False, suffix=f".bom.{bom_file_suffix}"
+        )
+        path = tmp_bom_file.name
+        file_write(path, bom_file_content)
+    if url:
+        parsed = urlparse(url)
+        if not parsed.scheme or parsed.scheme not in allowed_git_schemes:
+            return {"error": "true", "message": "URL scheme is not allowed."}, 400
+    # Path points to a project directory
+    # Bug# 233. Path could be a url
+    if url or (path and os.path.isdir(path)):
+        with tempfile.NamedTemporaryFile(delete=False, suffix=".bom.json") as bfp:
+            project_type_list = project_type.split(",")
+            if create_bom:
+                bom_status = create_bom(
+                    bfp.name,
+                    path,
+                    {
+                        "url": url,
+                        "path": path,
+                        "project_type": project_type_list,
+                        "multiProject": multi_project,
+                        "cdxgen_server": cdxgen_server,
+                        "profile": profile,
+                        "deep": deep,
+                    },
+                )
+                if bom_status:
+                    if LOG:
+                        LOG.debug("BOM file was generated successfully at %s", bfp.name)
+                    bom_file_path = bfp.name
+
+    # Path points to a SBOM file
+    else:
+        if os.path.exists(path):
+            bom_file_path = path
+    # Direct purl-based lookups are not supported yet.
+    if bom_file_path is not None:
+        pkg_list, _ = get_pkg_list(bom_file_path)
+        # Here we are assuming there will be only one type
+        if project_type in type_audit_map:
+            audit_results = audit(project_type, pkg_list)
+            if audit_results:
+                results = results + audit_results
+        if not pkg_list:
+            if LOG:
+                LOG.debug("Empty package search attempted!")
+        else:
+            if LOG:
+                LOG.debug("Scanning %d oss dependencies for issues", len(pkg_list))
+        bom_data = json_load(bom_file_path)
+        if not bom_data:
+            cleanup_temp(tmp_bom_file)
+            return (
+                {
+                    "error": "true",
+                    "message": "Unable to generate SBOM. Check your input path or url.",
+                },
+                400,
+                {"Content-Type": "application/json"},
+            )
+        options = VdrAnalysisKV(
+            project_type,
+            results,
+            pkg_aliases={},
+            purl_aliases={},
+            suggest_mode=suggest_mode,
+            scoped_pkgs={},
+            no_vuln_table=True,
+            bom_file=bom_file_path,
+            pkg_list=[],
+            direct_purls={},
+            reached_purls={},
+            console=console,
+            logger=LOG,
+            fuzzy_search=fuzzy_search,
+        )
+        vdr_result = VDRAnalyzer(vdr_options=options).process()
+        if vdr_result.success:
+            pkg_vulnerabilities = vdr_result.pkg_vulnerabilities
+            if pkg_vulnerabilities:
+                bom_data["vulnerabilities"] = pkg_vulnerabilities
+            cleanup_temp(tmp_bom_file)
+            return json.dumps(bom_data), 200, {"Content-Type": "application/json"}
+    cleanup_temp(tmp_bom_file)
+    return (
+        {
+            "error": "true",
+            "message": "Unable to generate SBOM. Check your input path or url.",
+        },
+        500,
+        {"Content-Type": "application/json"},
+    )
+
+
+def cleanup_temp(tmp_bom_file):
+    if tmp_bom_file:
+        os.remove(tmp_bom_file)
+
+
+def run_server(options: ServerOptions):
+    app.config["CDXGEN_SERVER_URL"] = options.cdxgen_server
+    app.config["LOGGER_INSTANCE"] = options.logger
+    if options.allowed_hosts:
+        app.config["ALLOWED_HOSTS"] = [h.strip() for h in options.allowed_hosts if h]
+    if options.allowed_paths:
+        app.config["ALLOWED_PATHS"] = [
+            os.path.realpath(p) for p in options.allowed_paths if p
+        ]
+    if options.max_content_length:
+        app.config["MAX_CONTENT_LENGTH"] = options.max_content_length
+    # Dirty hack to get access to the create_bom function
+    if options.create_bom:
+        app.config["create_bom"] = create_bom
+    logger = options.logger
+    if logger:
+        logger.info(
+            f"dep-scan server running on {options.server_host}:{options.server_port}"
+        )
+        if options.server_host not in (
+            "127.0.0.1",
+            "0000:0000:0000:0000:0000:0000:0000:0001",
+            "0:0:0:0:0:0:0:1",
+            "::1",
+        ):
+            logger.warning(
+                "Server listening on non-local host without built-in authentication."
+            )
+    app.run(
+        host=options.server_host,
+        port=options.server_port,
+        debug=options.debug,
+        use_reloader=False,
+        ca_certs=options.ca_certs,
+        certfile=options.certfile,
+        keyfile=options.keyfile,
+    )