fosslight-binary 5.1.8__tar.gz → 5.1.9__tar.gz

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fosslight_binary
-Version: 5.1.8
+Version: 5.1.9
 Summary: FOSSLight Binary Scanner
 Home-page: https://github.com/fosslight/fosslight_binary_scanner
 Download-URL: https://github.com/fosslight/fosslight_binary_scanner

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/setup.py

@@ -33,7 +33,7 @@ if __name__ == "__main__":
 
     setup(
         name=_PACKAEG_NAME,
-        version='5.1.8',
+        version='5.1.9',
         package_dir={"": "src"},
         packages=find_packages(where='src'),
         description='FOSSLight Binary Scanner',

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/src/fosslight_binary/_binary.py

@@ -2,14 +2,18 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2020 LG Electronics Inc.
 # SPDX-License-Identifier: Apache-2.0
-from fosslight_util.oss_item import FileItem
+import os
 import urllib.parse
 import logging
 import fosslight_util.constant as constant
+from typing import Tuple
+from fosslight_util.oss_item import FileItem
 
 EXCLUDE_TRUE_VALUE = "Exclude"
 TLSH_CHECKSUM_NULL = "0"
 MAX_EXCEL_URL_LENGTH = 255
+EXCEEDED_VUL_URL_LENGTH_COMMENT = f"Exceeded the maximum vulnerability URL length of {MAX_EXCEL_URL_LENGTH} characters."
+_PACKAGE_DIR = ["node_modules", "venv", "Pods", "Carthage"]
 
 logger = logging.getLogger(constant.LOGGER_NAME)
 
@@ -54,12 +58,9 @@ class BinaryItem(FileItem):
         nvd_url = ", ".join(nvd_url).strip()
 
         if nvd_url and len(nvd_url) > MAX_EXCEL_URL_LENGTH:
-            oss.comment = f"Exceeded the maximum vulnerability URL length of {MAX_EXCEL_URL_LENGTH} characters."
+            oss.comment = EXCEEDED_VUL_URL_LENGTH_COMMENT
         return nvd_url
 
-    def get_print_binary_only(self):
-        return (self.source_name_or_path + "\t" + self.checksum + "\t" + self.tlsh)
-
     def get_print_array(self):
         items = []
         if self.oss_items:
@@ -110,3 +111,15 @@ class BinaryItem(FileItem):
             if self.comment:
                 json_item["comment"] = self.comment
         return items
+
+
+def is_package_dir(bin_with_path: str, _root_path: str) -> Tuple[bool, str]:
+    is_pkg = False
+    pkg_path = ""
+    path_parts = bin_with_path.split(os.path.sep)
+    for pkg_dir in _PACKAGE_DIR:
+        if pkg_dir in path_parts:
+            pkg_index = path_parts.index(pkg_dir)
+            pkg_path = os.path.sep.join(path_parts[:pkg_index + 1]).replace(_root_path, '', 1)
+            is_pkg = True
+    return is_pkg, pkg_path

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/src/fosslight_binary/_jar_analysis.py

@@ -8,7 +8,7 @@ import json
 import os
 import sys
 import fosslight_util.constant as constant
-from ._binary import BinaryItem, VulnerabilityItem
+from ._binary import BinaryItem, VulnerabilityItem, is_package_dir
 from fosslight_util.oss_item import OssItem
 from dependency_check import run as dependency_check_run
 
@@ -57,29 +57,42 @@ def get_oss_lic_in_jar(data):
     return license
 
 
+def merge_oss_and_vul_items(bin, key, oss_list, vulnerability_items):
+    bin.set_oss_items(oss_list)
+    if vulnerability_items and vulnerability_items.get(key):
+        bin.vulnerability_items.extend(vulnerability_items.get(key, []))
+
+
 def merge_binary_list(owasp_items, vulnerability_items, bin_list):
     not_found_bin = []
 
-    # key : file_path / value : oss_list for one binary
+    # key : file_path / value : {"oss_list": [oss], "sha1": sha1} for one binary
     for key, value in owasp_items.items():
         found = False
+        oss_list = value["oss_list"]
+        sha1 = value.get("sha1", "")
         for bin in bin_list:
             if bin.source_name_or_path == key:
-                for oss in value:
+                found = True
+                for oss in oss_list:
                     if oss.name and oss.license:
                         bin.found_in_owasp = True
                         break
-                bin.set_oss_items(value)
-                if vulnerability_items and vulnerability_items.get(key):
-                    bin.vulnerability_items.extend(vulnerability_items.get(key))
-                found = True
-                break
+                merge_oss_and_vul_items(bin, key, oss_list, vulnerability_items)
+            else:
+                if bin.checksum == sha1:
+                    merge_oss_and_vul_items(bin, key, oss_list, vulnerability_items)
 
         if not found:
             bin_item = BinaryItem(os.path.abspath(key))
             bin_item.binary_name_without_path = os.path.basename(key)
             bin_item.source_name_or_path = key
-            bin_item.set_oss_items(value)
+
+            is_pkg, _ = is_package_dir(bin_item.source_name_or_path, '')
+            if is_pkg:
+                continue
+
+            bin_item.set_oss_items(oss_list)
             not_found_bin.append(bin_item)
 
     bin_list += not_found_bin
@@ -192,7 +205,8 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
         success = False
         return owasp_items, vulnerability_items, success
 
-    dependencies = jar_contents.get("dependencies")
+    dependencies = jar_contents.get("dependencies", [])
+
     try:
         for val in dependencies:
             bin_with_path = ""
@@ -204,6 +218,8 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
             oss_license = get_oss_lic_in_jar(val)
             oss_name_found = False
 
+            sha1 = val.get("sha1", "")
+
             all_evidence = val.get("evidenceCollected", {})
             vulnerability = val.get("vulnerabilityIds", [])
             all_pkg_info = val.get("packages", [])
@@ -259,31 +275,26 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
             # Get Vulnerability Info.
             vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)
 
-            if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "":
-                oss_list_for_file = owasp_items.get(file_with_path, [])
-
-                existing_oss = None
-                for item in oss_list_for_file:
-                    if item.name == oss_name and item.version == oss_ver:
-                        existing_oss = item
-                        break
-
-                if not existing_oss:
-                    oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
-                    oss.comment = "OWASP result"
+            if oss_name or oss_license or oss_dl_url:
+                oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
+                oss.comment = "OWASP result"
 
-                    if file_with_path in owasp_items:
-                        owasp_items[file_with_path].append(oss)
-                    else:
-                        owasp_items[file_with_path] = [oss]
+                if file_with_path in owasp_items:
+                    owasp_items[file_with_path]["oss_list"].append(oss)
+                    # Update sha1 if not already set or if current sha1 is empty
+                    if not owasp_items[file_with_path]["sha1"] and sha1:
+                        owasp_items[file_with_path]["sha1"] = sha1
+                else:
+                    owasp_items[file_with_path] = {
+                        "oss_list": [oss],
+                        "sha1": sha1
+                    }
     except Exception as ex:
-        logger.debug(f"Error to get depency Info in jar_contets: {ex}")
-        success = False
+        logger.debug(f"Error to get dependency Info in jar_contents: {ex}")
 
     try:
         if os.path.isfile(json_file):
             os.remove(json_file)
     except Exception as ex:
         logger.debug(f"Error - There is no .json file : {ex}")
-
     return owasp_items, vulnerability_items, success

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/src/fosslight_binary/binary_analysis.py

@@ -16,7 +16,7 @@ from fosslight_util.set_log import init_log
 import fosslight_util.constant as constant
 from fosslight_util.output_format import check_output_formats_v2, write_output_file
 from ._binary_dao import get_oss_info_from_db
-from ._binary import BinaryItem, TLSH_CHECKSUM_NULL
+from ._binary import BinaryItem, TLSH_CHECKSUM_NULL, is_package_dir
 from ._jar_analysis import analyze_jar_file, merge_binary_list
 from ._simple_mode import print_simple_mode, filter_binary, init_simple
 from fosslight_util.correct import correct_with_yaml
@@ -165,8 +165,15 @@ def get_file_list(path_to_find, abs_path_to_exclude):
             bin_with_path = os.path.join(root, file)
             bin_item = BinaryItem(bin_with_path)
             bin_item.binary_name_without_path = file
-            bin_item.source_name_or_path = bin_with_path.replace(
-                _root_path, '', 1)
+            bin_item.source_name_or_path = bin_with_path.replace(_root_path, '', 1)
+
+            is_pkg, pkg_path = is_package_dir(bin_with_path, _root_path)
+            if is_pkg:
+                bin_item.source_name_or_path = pkg_path
+                if not any(x.source_name_or_path == bin_item.source_name_or_path for x in bin_list):
+                    bin_item.exclude = True
+                    bin_list.append(bin_item)
+                continue
 
             if any(dir_name in dir_path for dir_name in _EXCLUDE_DIR):
                 bin_item.exclude = True

{fosslight_binary-5.1.8 → fosslight_binary-5.1.9}/src/fosslight_binary.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fosslight_binary
-Version: 5.1.8
+Version: 5.1.9
 Summary: FOSSLight Binary Scanner
 Home-page: https://github.com/fosslight/fosslight_binary_scanner
 Download-URL: https://github.com/fosslight/fosslight_binary_scanner