Modify OSS name from OWASP Result

Author: bjk7119

src/fosslight_binary/_jar_analysis.py

@@ -25,13 +25,17 @@ def run_analysis(params, func):
         logger.error(f"Run Analysis : {ex}")
 
 
-def get_oss_ver(version):
+def get_oss_ver(version_info):
     oss_version = ""
-
-    if version['source'] == 'pom':
-        if version['name'] == 'version':
-            oss_version = version['value']
-
+    if version_info.get('source') == 'central':
+        if version_info.get('name') == 'version':
+            oss_version = version_info.get('value')
+    elif version_info.get('source') == 'pom':
+        if version_info.get('name') == 'version':
+            oss_version = version_info.get('value')
+    elif version_info.get('source', "").lower() == 'manifest':
+        if version_info.get('name') == 'Implementation-Version' or version_info.get('name') == 'Bundle-Version':
+            oss_version = version_info.get('value')
     return oss_version
 
 
@@ -102,6 +106,60 @@ def get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, r
     return vulnerability_items
 
 
+def get_oss_groupid(evidence_info):
+    oss_groupid = ""
+    # First, Get groupid from Central, else get it from pom
+    if evidence_info.get('source') == 'central':
+        if evidence_info.get('name') == 'groupid':
+            oss_groupid = evidence_info.get('value')
+    elif evidence_info.get('source') == 'pom':
+        if evidence_info.get('name') == 'groupid':
+            oss_groupid = evidence_info.get('value')
+    return oss_groupid
+
+
+def get_oss_artifactid(evidence_info):
+    oss_artifactid = ""
+    # Get OSS Info from POM
+    if evidence_info.get('source') == 'pom':
+        if evidence_info.get('name') == 'artifactid':
+            oss_artifactid = evidence_info.get('value')
+    return oss_artifactid
+
+
+def get_oss_dl_url(evidence_info):
+    oss_dl_url = ""
+    if evidence_info.get('name') == 'url':
+        oss_dl_url = evidence_info.get('value')
+    return oss_dl_url
+
+
+def get_oss_info_from_pkg_info(pkg_info):
+    oss_name = ""
+    oss_version = ""
+
+    try:
+        if pkg_info.get('id') != "":
+            # Get OSS Name
+            if pkg_info.get('id').startswith('pkg:maven'):
+                # ex, pkg:maven/com.hankcs/[email protected]
+                oss_name = pkg_info.get('id').split('@')[0]
+                oss_name = f"{oss_name.split('/')[-2]}:{oss_name.split('/')[-1]}"
+            elif pkg_info.get('id').startswith('pkg:npm'):
+                # ex, pkg:npm/[email protected]
+                oss_name = pkg_info.get('id').split('@')[0]
+                oss_name = oss_name.replace('pkg:npm', 'npm')
+                oss_name = oss_name.replace('/', ':')
+            else:
+                oss_name = pkg_info.get('id').split('@')[0]
+                oss_name = oss_name.split('/')[-1]
+            # Get OSS Version
+            oss_version = pkg_info.get('id').split('@')[1]
+    except Exception as ex:
+        logger.debug(f"Error to get value for oss name and version: {ex}")
+    return oss_name, oss_version
+
+
 def analyze_jar_file(path_to_find_bin):
     remove_owasp_item = []
     owasp_items = {}
@@ -135,12 +193,13 @@ def analyze_jar_file(path_to_find_bin):
             oss_groupid = ""
             oss_dl_url = ""
             oss_license = get_oss_lic_in_jar(val)
-            get_oss_info = False
+            oss_name_found = False
 
             all_evidence = val.get("evidenceCollected")
             vulnerability = val.get("vulnerabilityIds")
+            all_pkg_info = val.get("packages")
+
             vendor_evidences = all_evidence.get('vendorEvidence')
-            product_evidences = all_evidence.get('productEvidence')
             version_evidences = all_evidence.get('versionEvidence')
 
             # Check if the file is .jar file
@@ -151,35 +210,37 @@ def analyze_jar_file(path_to_find_bin):
                 bin_with_path = bin_with_path.split('.jar')[0] + '.jar'
 
             file_with_path = os.path.relpath(bin_with_path, path_to_find_bin)
-            # Get Version info from versionEvidence
-            for version_info in version_evidences:
-                oss_ver = get_oss_ver(version_info)
-
-            # Get Artifact ID, Group ID, OSS Name from vendorEvidence
-            for vendor_info in vendor_evidences:
-                # Get OSS Info from POM
-                if vendor_info['source'] == 'pom':
-                    if vendor_info['name'] == 'artifactid':
-                        oss_artifactid = vendor_info['value']
-                    if vendor_info['name'] == 'groupid':
-                        oss_groupid = vendor_info['value']
-                    if vendor_info['name'] == 'url':
-                        oss_dl_url = vendor_info['value']
+
+            # First, Get OSS Name and Version info from pkg_info
+            for pkg_info in all_pkg_info:
+                oss_name, oss_ver = get_oss_info_from_pkg_info(pkg_info)
+
+            if oss_name == "" and oss_ver == "":
+                # If can't find name and version, Find thoes in vendorEvidence and versionEvidence .
+                # Get Version info from versionEvidence
+                for version_info in version_evidences:
+                    oss_ver = get_oss_ver(version_info)
+
+                # Get Artifact ID, Group ID, OSS Name from vendorEvidence
+                for vendor_info in vendor_evidences:
+                    if oss_groupid == "":
+                        oss_groupid = get_oss_groupid(vendor_info)
+                    if oss_artifactid == "":
+                        oss_artifactid = get_oss_artifactid(vendor_info)
+                    if oss_dl_url == "":
+                        oss_dl_url = get_oss_dl_url(vendor_info)
+                    # Combine groupid and artifactid
                     if oss_artifactid != "" and oss_groupid != "":
                         oss_name = f"{oss_groupid}:{oss_artifactid}"
-
-            # Check if get oss_name and version from pom
-            if oss_name != "" and oss_ver != "":
-                get_oss_info = True
-
-            # If there is no pom.mxl in .jar file, get oss info from MANIFEST.MF file
-            if get_oss_info is False:
-                for product_info in product_evidences:
-                    if product_info['source'] == 'Manifest':
-                        if oss_name == "" and (product_info['name'] == 'Implementation-Title' or product_info['name'] == 'specification-title'):
-                            oss_name = product_info['value']
-                        if oss_ver == "" and (product_info['name'] == 'Implementation-Version' or product_info['name'] == 'Bundle-Version'):
-                            oss_ver = product_info['value']
+                        oss_name_found = True
+                    # If oss_name is found, break
+                    if oss_name_found:
+                        break
+            else:
+                # Get only dl_url from vendorEvidence
+                for vendor_info in vendor_evidences:
+                    if oss_dl_url == "":
+                        oss_dl_url = get_oss_dl_url(vendor_info)
 
             # Get Vulnerability Info.
             vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)