feat: Add support for scanning Java packages (fixes #1463) (#1476)

anthonyharrison · web-flow · commit 28f9dade49bd · 2022-01-06T14:03:13.000-08:00
diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py
@@ -6,6 +6,7 @@
 import sys
 from re import MULTILINE, compile, search
 
+import defusedxml.ElementTree as ET
 import pkg_resources
 
 from cve_bin_tool.cvedb import CVEDB
@@ -57,6 +58,7 @@ def __init__(
         self.should_extract = should_extract
         self.file_stack = []
         self.error_mode = error_mode
+        self.cve_db = CVEDB()
         # self.logger.info("Checkers loaded: %s" % (", ".join(self.checkers.keys())))
 
     @classmethod
@@ -115,6 +117,7 @@ def is_executable(self, filename):
                 and ("Mach-O" not in output)
                 and ("PKG-INFO: " not in output)
                 and ("METADATA: " not in output)
+                and ("pom.xml" not in output)
             ):
                 return False, None
         # otherwise use python implementation of file
@@ -160,13 +163,86 @@ def scan_file(self, filename):
         # parse binary file's strings
         lines = self.parse_strings(filename)
 
+        # Check for Java package
+        if output and "pom.xml" in output:
+            java_lines = "\n".join(lines.splitlines())
+            yield from self.run_java_checker(filename, java_lines)
+
         #  If python package then strip the lines to avoid detecting other product strings
         if output and ("PKG-INFO: " in output or "METADATA: " in output):
             py_lines = "\n".join(lines.splitlines()[:3])
             yield from self.run_python_package_checkers(filename, py_lines)
 
         yield from self.run_checkers(filename, lines)
 
+    def find_java_vendor(self, product, version):
+        """Find vendor for Java product"""
+        vendor_package_pair = self.cve_db.get_vendor_product_pairs(product)
+        # If no match, try alternative product name.
+        # Apache product names are stored as A_B in NVD database but often called A-B
+        # Some packages have -parent appended to product which is not in NVD database
+        if vendor_package_pair == [] and "-" in product:
+            self.logger.debug(f"Try alternative product {product}")
+            # Remove parent appendage
+            if "-parent" in product:
+                product = product.replace("-parent", "")
+            product = product.replace("-", "_")
+            vendor_package_pair = self.cve_db.get_vendor_product_pairs(product)
+        if vendor_package_pair != []:
+            vendor = vendor_package_pair[0]["vendor"]
+            file_path = "".join(self.file_stack)
+            self.logger.debug(f"{file_path} {product} {version} by {vendor}")
+            return ProductInfo(vendor, product, version), file_path
+        return None, None
+
+    def run_java_checker(self, filename, lines):
+        """Process maven pom.xml file and extract product and dependency details"""
+        tree = ET.parse(filename)
+        # Find root element
+        root = tree.getroot()
+        # Extract schema
+        schema = root.tag[: root.tag.find("}") + 1]
+        parent = root.find(schema + "parent")
+        version = None
+        product = None
+        file_path = "".join(self.file_stack)
+        # Parent tag is optional.
+        if parent is None:
+            product = root.find(schema + "artifactId").text
+            version = root.find(schema + "version").text
+        if version is None:
+            version = parent.find(schema + "version").text
+        # Check valid version identifier (i.e. starts with a digit)
+        if not version[0].isdigit():
+            self.logger.debug(f"Invalid {version} detected in {filename}")
+            version = None
+        if product is None:
+            product = parent.find(schema + "artifactId").text
+        if product is not None and version is not None:
+            product_info, file_path = self.find_java_vendor(product, version)
+            if file_path is not None:
+                yield product_info, file_path
+
+        # Scan for any dependencies referenced in file
+        dependencies = root.find(schema + "dependencies")
+        if dependencies is not None:
+            for dependency in dependencies.findall(schema + "dependency"):
+                product = dependency.find(schema + "artifactId")
+                if product is not None:
+                    version = dependency.find(schema + "version")
+                    if version is not None:
+                        version = version.text
+                        self.logger.debug(f"{file_path} {product.text} {version}")
+                        if version[0].isdigit():
+                            # Valid version identifier
+                            product_info, file_path = self.find_java_vendor(
+                                product.text, version
+                            )
+                            if file_path is not None:
+                                yield product_info, file_path
+
+        self.logger.debug(f"Done scanning file: {filename}")
+
     def run_python_package_checkers(self, filename, lines):
         """
         This generator runs only for python packages.
