fosslight-binary 5.1.9__tar.gz → 5.1.10__tar.gz

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fosslight_binary
-Version: 5.1.9
+Version: 5.1.10
 Summary: FOSSLight Binary Scanner
 Home-page: https://github.com/fosslight/fosslight_binary_scanner
 Download-URL: https://github.com/fosslight/fosslight_binary_scanner
@@ -27,7 +27,6 @@ Requires-Dist: pytz
 Requires-Dist: XlsxWriter
 Requires-Dist: PyYAML
 Requires-Dist: fosslight_util>=2.1.13
-Requires-Dist: dependency-check
 Requires-Dist: python-magic-bin; sys_platform == "win32"
 Requires-Dist: python-magic; "darwin" in sys_platform
 Requires-Dist: python-magic; "linux" in sys_platform

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/requirements.txt

@@ -9,4 +9,3 @@ pytz
 XlsxWriter
 PyYAML
 fosslight_util>=2.1.13
-dependency-check

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/setup.py

@@ -33,7 +33,7 @@ if __name__ == "__main__":
 
     setup(
         name=_PACKAEG_NAME,
-        version='5.1.9',
+        version='5.1.10',
         package_dir={"": "src"},
         packages=find_packages(where='src'),
         description='FOSSLight Binary Scanner',

fosslight_binary-5.1.10/src/fosslight_binary/__init__.py

@@ -0,0 +1,149 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+import logging
+import os
+import stat
+import subprocess
+import tempfile
+import urllib.request
+import zipfile
+import sys
+
+logger = logging.getLogger(__name__)
+DEPENDENCY_CHECK_VERSION = "12.1.7"
+
+
+def _install_dependency_check():
+    """Install OWASP dependency-check"""
+    try:
+        # Skip if explicitly disabled
+        if os.environ.get('FOSSLIGHT_SKIP_AUTO_INSTALL', '').lower() in ('1', 'true', 'yes'):
+            logger.info("Auto-install disabled by environment variable")
+            return
+
+        env_home = os.environ.get('DEPENDENCY_CHECK_HOME', '').strip()
+        install_dir = None
+        forced_env = False
+        if env_home:
+            # Normalize
+            env_home_abs = os.path.abspath(env_home)
+            # Detect if env_home already the actual extracted root (ends with dependency-check)
+            candidate_bin_win = os.path.join(env_home_abs, 'bin', 'dependency-check.bat')
+            candidate_bin_nix = os.path.join(env_home_abs, 'bin', 'dependency-check.sh')
+            if os.path.exists(candidate_bin_win) or os.path.exists(candidate_bin_nix):
+                # env points directly to dependency-check root; install_dir is its parent
+                install_dir = os.path.dirname(env_home_abs)
+                forced_env = True
+            else:
+                # Assume env_home is the base directory where we should extract dependency-check/
+                install_dir = env_home_abs
+
+        if not install_dir:
+            # Fallback hierarchy: executable dir (if frozen) -> CWD
+            candidate_base = None
+            if getattr(sys, 'frozen', False):
+                exe_dir = os.path.dirname(os.path.abspath(sys.executable))
+                candidate_base = os.path.join(exe_dir, 'fosslight_dc_bin')
+
+                if not os.access(exe_dir, os.W_OK):
+                    candidate_base = None
+                else:
+                    logger.debug(f"Using executable directory base: {candidate_base}")
+            if not candidate_base:
+                candidate_base = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin'))
+            install_dir = candidate_base
+        else:
+            logger.debug(f"Resolved install_dir: {install_dir}")
+        bin_dir = os.path.join(install_dir, 'dependency-check', 'bin')
+        if sys.platform.startswith('win'):
+            dc_path = os.path.join(bin_dir, 'dependency-check.bat')
+        else:
+            dc_path = os.path.join(bin_dir, 'dependency-check.sh')
+
+        # Check if dependency-check already exists
+        if os.path.exists(dc_path):
+            try:
+                result = subprocess.run([dc_path, '--version'], capture_output=True, text=True, timeout=10)
+                if result.returncode == 0:
+                    logger.debug("dependency-check already installed and working")
+                    # If we detected an existing root via env, retain it, else set home now.
+                    if forced_env:
+                        os.environ['DEPENDENCY_CHECK_HOME'] = env_home_abs
+                    else:
+                        os.environ['DEPENDENCY_CHECK_HOME'] = os.path.join(install_dir, 'dependency-check')
+                    os.environ['DEPENDENCY_CHECK_VERSION'] = DEPENDENCY_CHECK_VERSION
+                    return
+            except (subprocess.TimeoutExpired, FileNotFoundError) as ex:
+                logger.debug(f"Exception in dependency-check --version: {ex}")
+                pass
+
+        # Download URL
+        download_url = (f"https://github.com/dependency-check/DependencyCheck/releases/"
+                        f"download/v{DEPENDENCY_CHECK_VERSION}/"
+                        f"dependency-check-{DEPENDENCY_CHECK_VERSION}-release.zip")
+
+        os.makedirs(install_dir, exist_ok=True)
+        logger.info(f"Downloading dependency-check {DEPENDENCY_CHECK_VERSION} from {download_url} ...")
+
+        # Download and extract
+        with urllib.request.urlopen(download_url) as response:
+            content = response.read()
+
+        with tempfile.NamedTemporaryFile(suffix='.zip', delete=False) as tmp_file:
+            tmp_file.write(content)
+            tmp_zip_path = tmp_file.name
+
+        with zipfile.ZipFile(tmp_zip_path, 'r') as zip_ref:
+            zip_ref.extractall(install_dir)
+        os.unlink(tmp_file.name)
+
+        # Make shell scripts executable
+        if os.path.exists(bin_dir):
+            if sys.platform.startswith('win'):
+                # Windows: .bat files only
+                scripts = ["dependency-check.bat"]
+            else:
+                # Linux/macOS: .sh files only
+                scripts = ["dependency-check.sh", "completion-for-dependency-check.sh"]
+
+            for script in scripts:
+                script_path = os.path.join(bin_dir, script)
+                if os.path.exists(script_path):
+                    st = os.stat(script_path)
+                    os.chmod(script_path, st.st_mode | stat.S_IEXEC)
+
+        logger.info("✅ OWASP dependency-check installed successfully!")
+        logger.info(f"Installed to: {os.path.join(install_dir, 'dependency-check')}")
+
+        # Set environment variables after successful installation
+        os.environ['DEPENDENCY_CHECK_VERSION'] = DEPENDENCY_CHECK_VERSION
+        os.environ['DEPENDENCY_CHECK_HOME'] = os.path.join(install_dir, 'dependency-check')
+
+        return True
+
+    except Exception as e:
+        logger.error(f"Failed to install dependency-check: {e}")
+        logger.info("dependency-check can be installed manually from: https://github.com/dependency-check/DependencyCheck/releases")
+        return False
+
+
+def _auto_install_dependencies():
+    """Auto-install required dependencies if not present."""
+    # Only run this once per session
+    if hasattr(_auto_install_dependencies, '_already_run'):
+        return
+    _auto_install_dependencies._already_run = True
+
+    try:
+        # Install binary version
+        _install_dependency_check()
+
+        logger.info(f"✅ dependency-check setup completed with version {DEPENDENCY_CHECK_VERSION}")
+    except Exception as e:
+        logger.warning(f"Auto-install failed: {e}")
+
+
+# Auto-install on import
+_auto_install_dependencies()

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/src/fosslight_binary/_binary_dao.py

@@ -7,8 +7,9 @@ import tlsh
 import logging
 import psycopg2
 import pandas as pd
+import socket
 from urllib.parse import urlparse
-from ._binary import TLSH_CHECKSUM_NULL
+from fosslight_binary._binary import TLSH_CHECKSUM_NULL
 from fosslight_util.oss_item import OssItem
 import fosslight_util.constant as constant
 
@@ -18,47 +19,67 @@ columns = ['filename', 'pathname', 'checksum', 'tlshchecksum', 'ossname',
 conn = ""
 cur = ""
 logger = logging.getLogger(constant.LOGGER_NAME)
+DB_URL_DEFAULT = "postgresql://bin_analysis_script_user:script_123@bat.lge.com:5432/bat"
 
 
 def get_oss_info_from_db(bin_info_list, dburl=""):
     _cnt_auto_identified = 0
-    conn_str = get_connection_string(dburl)
-    connect_to_lge_bin_db(conn_str)
-
-    if conn != "" and cur != "":
-        for item in bin_info_list:
-            bin_oss_items = []
-            tlsh_value = item.tlsh
-            checksum_value = item.checksum
-            bin_file_name = item.binary_name_without_path
-
-            df_result = get_oss_info_by_tlsh_and_filename(
-                bin_file_name, checksum_value, tlsh_value)
-            if df_result is not None and len(df_result) > 0:
-                _cnt_auto_identified += 1
-                # Initialize the saved contents at .jar analyzing only once
-                if not item.found_in_owasp and item.oss_items:
-                    item.oss_items = []
-
-                for idx, row in df_result.iterrows():
-                    if not item.found_in_owasp:
-                        oss_from_db = OssItem(row['ossname'], row['ossversion'], row['license'])
-
-                        if bin_oss_items:
-                            if not any(oss_item.name == oss_from_db.name
-                                       and oss_item.version == oss_from_db.version
-                                       and oss_item.license == oss_from_db.license
-                                       for oss_item in bin_oss_items):
+    conn_str, dbc = get_connection_string(dburl)
+    # DB URL에서 host 추출
+    try:
+        db_host = dbc.hostname
+    except Exception as ex:
+        logger.warning(f"Failed to parse DB URL for host: {ex}")
+        db_host = None
+
+    is_internal = False
+    if db_host:
+        try:
+            # DNS lookup 시도
+            socket.gethostbyname(db_host)
+            is_internal = True
+        except Exception:
+            is_internal = False
+
+    if is_internal:
+        connect_to_lge_bin_db(conn_str)
+        if conn != "" and cur != "":
+            for item in bin_info_list:
+                bin_oss_items = []
+                tlsh_value = item.tlsh
+                checksum_value = item.checksum
+                bin_file_name = item.binary_name_without_path
+
+                df_result = get_oss_info_by_tlsh_and_filename(
+                    bin_file_name, checksum_value, tlsh_value)
+                if df_result is not None and len(df_result) > 0:
+                    _cnt_auto_identified += 1
+                    # Initialize the saved contents at .jar analyzing only once
+                    if not item.found_in_owasp and item.oss_items:
+                        item.oss_items = []
+
+                    for idx, row in df_result.iterrows():
+                        if not item.found_in_owasp:
+                            oss_from_db = OssItem(row['ossname'], row['ossversion'], row['license'])
+
+                            if bin_oss_items:
+                                if not any(oss_item.name == oss_from_db.name
+                                           and oss_item.version == oss_from_db.version
+                                           and oss_item.license == oss_from_db.license
+                                           for oss_item in bin_oss_items):
+                                    bin_oss_items.append(oss_from_db)
+                            else:
                                 bin_oss_items.append(oss_from_db)
-                        else:
-                            bin_oss_items.append(oss_from_db)
-
-                if bin_oss_items:
-                    item.set_oss_items(bin_oss_items)
-                    item.comment = "Binary DB result"
-                    item.found_in_binary = True
 
-    disconnect_lge_bin_db()
+                    if bin_oss_items:
+                        item.set_oss_items(bin_oss_items)
+                        item.comment = "Binary DB result"
+                        item.found_in_binary = True
+        else:
+            logger.warning(f"Internal network detected, but DB connection to '{db_host}' failed. Skipping DB query.")
+        disconnect_lge_bin_db()
+    else:
+        logger.debug(f"Binary DB host '{db_host}' is not reachable. Skipping DB query.")
     return bin_info_list, _cnt_auto_identified
 
 
@@ -66,9 +87,10 @@ def get_connection_string(dburl):
     # dburl format : 'postgresql://username:password@host:port/database_name'
     connection_string = ""
     user_dburl = True
+    dbc = ""
     if dburl == "" or dburl is None:
         user_dburl = False
-        dburl = "postgresql://bin_analysis_script_user:script_123@bat.lge.com:5432/bat"
+        dburl = DB_URL_DEFAULT
     try:
         if user_dburl:
             logger.debug("DB URL:" + dburl)
@@ -83,7 +105,7 @@ def get_connection_string(dburl):
         if user_dburl:
             logger.warning(f"(Minor) Failed to parsing db url : {ex}")
 
-    return connection_string
+    return connection_string, dbc
 
 
 def get_oss_info_by_tlsh_and_filename(file_name, checksum_value, tlsh_value):

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/src/fosslight_binary/_jar_analysis.py

@@ -7,23 +7,26 @@ import logging
 import json
 import os
 import sys
+import subprocess
 import fosslight_util.constant as constant
-from ._binary import BinaryItem, VulnerabilityItem, is_package_dir
+from fosslight_binary._binary import BinaryItem, VulnerabilityItem, is_package_dir
 from fosslight_util.oss_item import OssItem
-from dependency_check import run as dependency_check_run
-
 
 logger = logging.getLogger(constant.LOGGER_NAME)
 
 
-def run_analysis(params, func):
+def run_analysis(command):
     try:
-        sys.argv = params
-        func()
-    except SystemExit:
-        pass
+        result = subprocess.run(command, text=True, timeout=600)
+        if result.returncode != 0:
+            logger.error(f"dependency-check failed with return code {result.returncode}")
+            raise Exception(f"dependency-check failed with return code {result.returncode}")
+    except subprocess.TimeoutExpired:
+        logger.error("dependency-check command timed out")
+        raise
     except Exception as ex:
         logger.error(f"Run Analysis : {ex}")
+        raise
 
 
 def get_oss_ver(version_info):
@@ -185,12 +188,27 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
     success = True
     json_file = ""
 
-    command = ['dependency-check', '--scan', f'{path_to_find_bin}', '--out', f'{path_to_find_bin}',
+    # Use fixed install path: ./fosslight_dc_bin/dependency-check/bin/dependency-check.sh or .bat
+    if sys.platform.startswith('win'):
+        depcheck_path = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin', 'dependency-check', 'bin', 'dependency-check.bat'))
+    elif sys.platform.startswith('linux'):
+        depcheck_path = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin', 'dependency-check', 'bin', 'dependency-check.sh'))
+    elif sys.platform.startswith('darwin'):
+        depcheck_path = os.path.abspath(os.path.join(os.getcwd(), 'dependency-check'))
+
+    if not (os.path.isfile(depcheck_path) and os.access(depcheck_path, os.X_OK)):
+        logger.error(f'dependency-check script not found or not executable at {depcheck_path}')
+        success = False
+        return owasp_items, vulnerability_items, success
+
+    command = [depcheck_path, '--scan', f'{path_to_find_bin}', '--out', f'{path_to_find_bin}',
                '--disableArchive', '--disableAssembly', '--disableRetireJS', '--disableNodeJS',
                '--disableNodeAudit', '--disableNugetconf', '--disableNuspec', '--disableOpenSSL',
-               '--disableOssIndex', '--disableBundleAudit', '--cveValidForHours', '24', '-f', 'JSON']
+               '--disableOssIndex', '--disableBundleAudit', '--disableOssIndex', '--nvdValidForHours', '168',
+               '--nvdDatafeed', 'https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-{0}.json.gz', '-f', 'JSON']
+
     try:
-        run_analysis(command, dependency_check_run)
+        run_analysis(command)
     except Exception as ex:
         logger.info(f"Error to analyze .jar file - OSS information for .jar file isn't included in report.\n {ex}")
         success = False
@@ -239,7 +257,22 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
             if not bin_with_path.endswith('.jar'):
                 bin_with_path = bin_with_path.split('.jar')[0] + '.jar'
 
-            file_with_path = os.path.relpath(bin_with_path, path_to_find_bin)
+            try:
+                path_to_fild_bin_abs = os.path.abspath(path_to_find_bin)
+                bin_with_path_abs = os.path.abspath(bin_with_path)
+                if os.name == 'nt':  # Windows
+                    drive_bin = os.path.splitdrive(bin_with_path_abs)[0].lower()
+                    drive_root = os.path.splitdrive(path_to_fild_bin_abs)[0].lower()
+                    # Different drive or UNC root -> fallback to basename
+                    if drive_bin and drive_root and drive_bin != drive_root:
+                        file_with_path = os.path.basename(bin_with_path_abs)
+                    else:
+                        file_with_path = os.path.relpath(bin_with_path_abs, path_to_fild_bin_abs)
+                else:
+                    file_with_path = os.path.relpath(bin_with_path_abs, path_to_fild_bin_abs)
+            except Exception as e:
+                file_with_path = os.path.basename(bin_with_path)
+                logger.error(f"relpath error: {e}; fallback basename: {file_with_path}")
 
             # First, Get OSS Name and Version info from pkg_info
             for pkg_info in all_pkg_info:

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/src/fosslight_binary.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fosslight_binary
-Version: 5.1.9
+Version: 5.1.10
 Summary: FOSSLight Binary Scanner
 Home-page: https://github.com/fosslight/fosslight_binary_scanner
 Download-URL: https://github.com/fosslight/fosslight_binary_scanner
@@ -27,7 +27,6 @@ Requires-Dist: pytz
 Requires-Dist: XlsxWriter
 Requires-Dist: PyYAML
 Requires-Dist: fosslight_util>=2.1.13
-Requires-Dist: dependency-check
 Requires-Dist: python-magic-bin; sys_platform == "win32"
 Requires-Dist: python-magic; "darwin" in sys_platform
 Requires-Dist: python-magic; "linux" in sys_platform

{fosslight_binary-5.1.9 → fosslight_binary-5.1.10}/src/fosslight_binary.egg-info/requires.txt

@@ -9,7 +9,6 @@ pytz
 XlsxWriter
 PyYAML
 fosslight_util>=2.1.13
-dependency-check
 
 [:"darwin" in sys_platform]
 python-magic