feat(checker): add Apache commons-compress checker (#1040) (#1666)

* feat(checker): add Apache commons-compress checker

* fix: version signature of commons_compress

Co-authored-by: Terri Oda <[email protected]>

Author: b31ngd3v

.github/actions/spelling/allow.txt

@@ -58,6 +58,8 @@ cleartext
 clnt
 cmdline
 codecov
+commons
+compress
 conda
 config
 conventionalcommits

README.md

@@ -244,24 +244,24 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------- |---------- |--------------- |------------ |--------------- |------------- |
+|--------------- |------------- |---------------- |---------- |--------------- |------------ |--------------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
-| busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
-| dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
-| ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
-| icecast |icu |irssi |jacksondatabind |kbd |kerberos |kexectools |
-| libarchive |libbpg |libdb |libebml |libgcrypt |libical |libjpeg_turbo |
-| liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |lighttpd |
-| logrotate |lua |mariadb |mdadm |memcached |mtr |mysql |
-| nano |ncurses |nessus |netpbm |nginx |node |ntp |
-| open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |openswan |
-| openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |poppler |
-| postgresql |pspp |python |qt |radare2 |rsyslog |samba |
-| sane_backends |sqlite |strongswan |subversion |sudo |syslogng |systemd |
-| tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |xerces |
-| xml2 |zlib |zsh | | | | |
+| busybox |bzip2 |commons_compress |cronie |cryptsetup |cups |curl |
+| dbus |dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |
+| freeradius |ftp |gcc |gimp |glibc |gnomeshell |gnupg |
+| gnutls |gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |
+| hunspell |icecast |icu |irssi |jacksondatabind |kbd |kerberos |
+| kexectools |libarchive |libbpg |libdb |libebml |libgcrypt |libical |
+| libjpeg_turbo |liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/checkers/__init__.py

@@ -20,6 +20,7 @@
     "bubblewrap",
     "busybox",
     "bzip2",
+    "commons_compress",
     "cronie",
     "cryptsetup",
     "cups",

cve_bin_tool/checkers/commons_compress.py

@@ -0,0 +1,22 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for Apache commons-compress:
+
+https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-59066/Apache-Commons-Compress.html
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class CommonsCompressChecker(Checker):
+    CONTAINS_PATTERNS = [
+        r"Apache Commons Compress software defines an API for working with",
+        r"<url>http://commons.apache.org/proper/commons-compress/</url>",
+    ]
+    FILENAME_PATTERNS = [r"commons-compress(-[0-9]+\.[0-9]+(\.[0-9]+)?)?.jar"]
+    VERSION_PATTERNS = [
+        r"<artifactId>commons-compress</artifactId>\r?\n  <version>([0-9]+\.[0-9]+(\.[0-9]+)?)</version>"
+    ]
+    VENDOR_PRODUCT = [("apache", "commons_compress")]

doc/MANUAL.md

@@ -128,24 +128,24 @@ which is useful if you're trying the latest code from
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------- |---------- |--------------- |------------ |--------------- |------------- |
+|--------------- |------------- |---------------- |---------- |--------------- |------------ |--------------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
-| busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
-| dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
-| ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
-| icecast |icu |irssi |jacksondatabind |kbd |kerberos |kexectools |
-| libarchive |libbpg |libdb |libebml |libgcrypt |libical |libjpeg_turbo |
-| liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |lighttpd |
-| logrotate |lua |mariadb |mdadm |memcached |mtr |mysql |
-| nano |ncurses |nessus |netpbm |nginx |node |ntp |
-| open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |openswan |
-| openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |poppler |
-| postgresql |pspp |python |qt |radare2 |rsyslog |samba |
-| sane_backends |sqlite |strongswan |subversion |sudo |syslogng |systemd |
-| tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |xerces |
-| xml2 |zlib |zsh | | | | |
+| busybox |bzip2 |commons_compress |cronie |cryptsetup |cups |curl |
+| dbus |dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |
+| freeradius |ftp |gcc |gimp |glibc |gnomeshell |gnupg |
+| gnutls |gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |
+| hunspell |icecast |icu |irssi |jacksondatabind |kbd |kerberos |
+| kexectools |libarchive |libbpg |libdb |libebml |libgcrypt |libical |
+| libjpeg_turbo |liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
 <!--CHECKERS TABLE END-->
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).

test/condensed-downloads/apache-commons-compress-1.21-1.fc35.noarch.rpm.tar.gz

@@ -0,0 +1,33 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+    {
+        "product": "commons_compress",
+        "version": "1.18",
+        "version_strings": [
+            "<artifactId>commons-compress</artifactId>\r\n  <version>1.18</version>"
+        ],
+    },
+    {
+        "product": "commons_compress",
+        "version": "1.15.1",
+        "version_strings": [
+            "<artifactId>commons-compress</artifactId>\r\n  <version>1.15.1</version>"
+        ],
+    },
+]
+package_test_data = [
+    {
+        "url": "https://repo1.maven.org/maven2/org/apache/commons/commons-compress/1.16.1/",
+        "package_name": "commons-compress-1.16.1.jar",
+        "product": "commons_compress",
+        "version": "1.16.1",
+    },
+    {
+        "url": "http://rpmfind.net/linux/fedora/linux/releases/35/Everything/x86_64/os/Packages/a/",
+        "package_name": "apache-commons-compress-1.21-1.fc35.noarch.rpm",
+        "product": "commons_compress",
+        "version": "1.21",
+    },
+]