NV6208, NV5079: reducing false positive CVE cases on java applications.

39wLan · Mar 28, 2022 · 1514acd · 1514acd
1 parent aa4237f
commit 1514acd
Showing 1 changed file with 63 additions and 73 deletions.
diff --git a/share/scan/apps.go b/share/scan/apps.go
@@ -5,7 +5,6 @@ import (
 	"bufio"
 	"bytes"
 	"encoding/json"
-	"encoding/xml"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -22,9 +21,11 @@ import (
 const (
 	AppFileName = "apps_pkg"
 
-	nodeModules = "node_modules"
-	nodePackage = "package.json"
-	nodeJs      = "node.js"
+	nodeModules1 = "/usr/lib/node_modules"
+	nodeModules2 = "/usr/local/lib/node_modules"
+	nodeModules  = "node_modules"
+	nodePackage  = "package.json"
+	nodeJs       = "node.js"
 
 	wpname           = "Wordpress"
 	WPVerFileSuffix  = "wp-includes/version.php"
@@ -38,6 +39,15 @@ const (
 	tomcatName         = "Tomcat"
 	jarMaxDepth        = 2
 
+	javaPOMproperty    = "/pom.properties"
+	javaPOMgroupId     = "groupId="
+	javaPOMartifactId  = "artifactId="
+	javaPOMversion     = "version="
+	javaManifest       = "MANIFEST.MF"
+	javaMnfstVendorId  = "Implementation-Vendor-Id:"
+	javaMnfstVersion   = "Implementation-Version:"
+	javaMnfstTitle     = "Implementation-Title:"
+
 	python            = "python"
 	ruby              = "ruby"
 	dotnetDepsMaxSize = 10 * 1024 * 1024
@@ -306,95 +316,75 @@ func (s *ScanApps) parseJarPackage(r zip.Reader, filename, fullpath string, dept
 					}
 				}
 			}
-		} else if strings.HasSuffix(f.Name, javaPOMXML) {
+		} else if strings.HasSuffix(f.Name, javaPOMproperty) {
+			var groupId, version, artifactId string
 			rc, err := f.Open()
 			if err != nil {
-				log.WithFields(log.Fields{"err": err}).Error("open pom.xml file fail")
+				log.WithFields(log.Fields{"err": err}).Error("open pom file fail")
 				continue
 			}
 			defer rc.Close()
 
-			txt := make([]byte, pomReadSize)
-			n, err := io.ReadFull(rc, txt)
-			if err != nil && err != io.ErrUnexpectedEOF {
-				log.WithFields(log.Fields{"err": err}).Error("read pom.xml file fail")
-				continue
+			scanner := bufio.NewScanner(rc)
+			for scanner.Scan() {
+				line := scanner.Text()
+				switch {
+				case strings.HasPrefix(line, javaPOMgroupId):
+					groupId = strings.TrimSpace(strings.TrimPrefix(line, javaPOMgroupId))
+				case strings.HasPrefix(line, javaPOMversion):
+					version = strings.TrimSpace(strings.TrimPrefix(line, javaPOMversion))
+				case strings.HasPrefix(line, javaPOMartifactId):
+					artifactId = strings.TrimSpace(strings.TrimPrefix(line, javaPOMartifactId))
+				}
+
+				if len(groupId) > 0  && len(version) > 0 && len(artifactId) > 0 {
+					break
+				}
 			}
-			d := xml.NewDecoder(bytes.NewReader(txt[:n]))
-			if d == nil {
-				log.WithFields(log.Fields{"file": f.Name}).Error("New pom.xml decoder fail")
-				continue
+
+			pkg := AppPackage{
+				AppName:    jar,
+				FileName:   filename,
+				ModuleName: fmt.Sprintf("%s:%s", groupId, artifactId),
+				Version:    version,
 			}
-			var proj mvnProject
-			err = d.Decode(&proj)
+
+			pkgs[filename] = []AppPackage{pkg}
+			break	// higher priority
+		} else if strings.HasSuffix(f.Name, javaManifest) {
+			var vendorId, version, title string
+			rc, err := f.Open()
 			if err != nil {
-				log.WithFields(log.Fields{"file": f.Name}).Error("Decode pom.xml fail")
+				log.WithFields(log.Fields{"err": err}).Error("open pom.xml file fail")
 				continue
 			}
+			defer rc.Close()
 
-			verMap := make(map[string]string)
-			scanner := bufio.NewScanner(bytes.NewReader(txt[:n]))
+			scanner := bufio.NewScanner(rc)
 			for scanner.Scan() {
 				line := scanner.Text()
-				match := verRegexp.FindAllStringSubmatch(line, 1)
-				if len(match) > 0 {
-					s := match[0]
-					v1 := s[1]
-					ver := s[2]
-					v2 := s[3]
-					if v1 == v2 && v1 != "version" {
-						verMap[v1] = ver
-					}
-				}
-			}
-
-			if proj.Parent.GroupId != "" && proj.Parent.ArtifactId != "" && proj.Parent.Version != "" {
-				if strings.HasPrefix(proj.Parent.Version, "${") && strings.HasSuffix(proj.Parent.Version, "}") {
-					rver := proj.Parent.Version[2 : len(proj.Parent.Version)-1]
-					v, ok := verMap[rver]
-					if !ok {
-						continue
-					}
-					proj.Parent.Version = v
+				switch {
+				case strings.HasPrefix(line, javaMnfstVendorId):
+					vendorId = strings.TrimSpace(strings.TrimPrefix(line, javaMnfstVendorId))
+				case strings.HasPrefix(line, javaMnfstVersion):
+					version = strings.TrimSpace(strings.TrimPrefix(line, javaMnfstVersion))
+				case strings.HasPrefix(line, javaMnfstTitle):
+					title = strings.TrimSpace(strings.TrimPrefix(line, javaMnfstTitle))
 				}
 
-				pkg := AppPackage{
-					AppName:    jar,
-					ModuleName: proj.Parent.GroupId + ":" + proj.ArtifactId, // parent group + self artifact
-					Version:    proj.Parent.Version,
-					FileName:   filename,
-				}
-				if list, ok := pkgs[filename]; ok {
-					pkgs[filename] = append(list, pkg)
-				} else {
-					pkgs[filename] = []AppPackage{pkg}
+				if len(vendorId) > 0  && len(title) > 0 && len(version) > 0 {
+					break
 				}
 			}
 
-			for _, dep := range proj.Dependencies {
-				if dep.GroupId != "" && dep.ArtifactId != "" && dep.Version != "" && dep.Scope != "test" {
-					if strings.HasPrefix(dep.Version, "${") && strings.HasSuffix(dep.Version, "}") {
-						rver := dep.Version[2 : len(dep.Version)-1]
-						v, ok := verMap[rver]
-						if !ok {
-							continue
-						}
-						dep.Version = v
-					}
-
-					pkg := AppPackage{
-						AppName:    jar,
-						ModuleName: dep.GroupId + ":" + dep.ArtifactId,
-						Version:    dep.Version,
-						FileName:   filename,
-					}
-					if list, ok := pkgs[filename]; ok {
-						pkgs[filename] = append(list, pkg)
-					} else {
-						pkgs[filename] = []AppPackage{pkg}
-					}
-				}
+			pkg := AppPackage{
+				AppName:    jar,
+				FileName:   filename,
+				ModuleName: fmt.Sprintf("%s:%s", vendorId, title),
+				Version:    version,
 			}
+
+			pkgs[filename] = []AppPackage{pkg}
 		}
 	}