Use Dependency-check v12.1.3 to analyze .jar

bjk7119 · bjk7119 · commit 6304925b3a84 · 2025-09-22T13:02:10.000+09:00
diff --git a/requirements.txt b/requirements.txt
@@ -9,4 +9,3 @@ pytz
 XlsxWriter
 PyYAML
 fosslight_util>=2.1.13
-dependency-check
diff --git a/src/fosslight_binary/__init__.py b/src/fosslight_binary/__init__.py
@@ -0,0 +1,106 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025 LG Electronics Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# Auto-install dependency-check on first import
+import logging
+import os
+import stat
+import subprocess
+import tempfile
+import urllib.request
+import zipfile
+
+logger = logging.getLogger(__name__)
+
+# OWASP dependency-check version to install
+DEPENDENCY_CHECK_VERSION = "12.1.3"
+
+
+def _install_dependency_check():
+    """Install OWASP dependency-check"""
+    try:
+        # Skip if explicitly disabled
+        if os.environ.get('FOSSLIGHT_SKIP_AUTO_INSTALL', '').lower() in ('1', 'true', 'yes'):
+            logger.info("Auto-install disabled by environment variable")
+            return
+
+        # Fixed install directory: always use ./fosslight_dc_bin in current working directory
+        install_dir = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin'))
+        bin_dir = os.path.join(install_dir, 'dependency-check', 'bin')
+        dc_path = os.path.join(bin_dir, 'dependency-check.sh')
+
+        # Check if dependency-check already exists
+        if os.path.exists(dc_path):
+            try:
+                result = subprocess.run([dc_path, '--version'], capture_output=True, text=True, timeout=10)
+                if result.returncode == 0:
+                    logger.debug("dependency-check already installed and working")
+                    os.environ['DEPENDENCY_CHECK_VERSION'] = DEPENDENCY_CHECK_VERSION
+                    os.environ['DEPENDENCY_CHECK_HOME'] = os.path.join(install_dir, 'dependency-check')
+                    return
+            except (subprocess.TimeoutExpired, FileNotFoundError):
+                pass
+
+        # Download URL
+        download_url = (f"https://github.com/dependency-check/DependencyCheck/releases/"
+                        f"download/v{DEPENDENCY_CHECK_VERSION}/"
+                        f"dependency-check-{DEPENDENCY_CHECK_VERSION}-release.zip")
+
+        os.makedirs(install_dir, exist_ok=True)
+        logger.info("Downloading OWASP dependency-check")
+        logger.info(f"URL: {download_url}")
+
+        # Download and extract
+        with urllib.request.urlopen(download_url) as response:
+            content = response.read()
+
+        with tempfile.NamedTemporaryFile(suffix='.zip', delete=False) as tmp_file:
+            tmp_file.write(content)
+            tmp_file.flush()
+            with zipfile.ZipFile(tmp_file.name, 'r') as zip_ref:
+                zip_ref.extractall(install_dir)
+            os.unlink(tmp_file.name)
+
+        # Make shell scripts executable
+        if os.path.exists(bin_dir):
+            for script in ["dependency-check.sh", "completion-for-dependency-check.sh"]:
+                script_path = os.path.join(bin_dir, script)
+                if os.path.exists(script_path):
+                    st = os.stat(script_path)
+                    os.chmod(script_path, st.st_mode | stat.S_IEXEC)
+
+        logger.info("✅ OWASP dependency-check installed successfully!")
+        logger.info(f"Installed to: {os.path.join(install_dir, 'dependency-check')}")
+
+        # Set environment variables after successful installation
+        os.environ['DEPENDENCY_CHECK_VERSION'] = DEPENDENCY_CHECK_VERSION
+        os.environ['DEPENDENCY_CHECK_HOME'] = os.path.join(install_dir, 'dependency-check')
+
+        return True
+
+    except Exception as e:
+        logger.error(f"Failed to install dependency-check: {e}")
+        logger.info("dependency-check can be installed manually from: https://github.com/dependency-check/DependencyCheck/releases")
+        return False
+
+
+def _auto_install_dependencies():
+    """Auto-install required dependencies if not present."""
+    # Only run this once per session
+    if hasattr(_auto_install_dependencies, '_already_run'):
+        return
+    _auto_install_dependencies._already_run = True
+
+    try:
+        # Install binary version
+        _install_dependency_check()
+
+        logger.info(f"✅ dependency-check setup completed with version {DEPENDENCY_CHECK_VERSION}")
+    except Exception as e:
+        logger.warning(f"Auto-install failed: {e}")
+
+
+# Auto-install on import
+_auto_install_dependencies()
diff --git a/src/fosslight_binary/_jar_analysis.py b/src/fosslight_binary/_jar_analysis.py
@@ -7,23 +7,26 @@
 import json
 import os
 import sys
+import subprocess
 import fosslight_util.constant as constant
 from ._binary import BinaryItem, VulnerabilityItem, is_package_dir
 from fosslight_util.oss_item import OssItem
-from dependency_check import run as dependency_check_run
-
 
 logger = logging.getLogger(constant.LOGGER_NAME)
 
 
-def run_analysis(params, func):
+def run_analysis(command):
     try:
-        sys.argv = params
-        func()
-    except SystemExit:
-        pass
+        result = subprocess.run(command, text=True, timeout=300)
+        if result.returncode != 0:
+            logger.error(f"dependency-check failed with return code {result.returncode}")
+            raise Exception(f"dependency-check failed with return code {result.returncode}")
+    except subprocess.TimeoutExpired:
+        logger.error("dependency-check command timed out")
+        raise
     except Exception as ex:
         logger.error(f"Run Analysis : {ex}")
+        raise
 
 
 def get_oss_ver(version_info):
@@ -185,12 +188,22 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
     success = True
     json_file = ""
 
-    command = ['dependency-check', '--scan', f'{path_to_find_bin}', '--out', f'{path_to_find_bin}',
+    # Use fixed install path: ./fosslight_dc_bin/dependency-check/bin/dependency-check.sh or .bat
+    if sys.platform.startswith('win'):
+        depcheck_path = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin', 'dependency-check', 'bin', 'dependency-check.bat'))
+    else:
+        depcheck_path = os.path.abspath(os.path.join(os.getcwd(), 'fosslight_dc_bin', 'dependency-check', 'bin', 'dependency-check.sh'))
+    if not (os.path.isfile(depcheck_path) and os.access(depcheck_path, os.X_OK)):
+        raise FileNotFoundError(f'dependency-check script not found or not executable at {depcheck_path}')
+
+    command = [depcheck_path, '--scan', f'{path_to_find_bin}', '--out', f'{path_to_find_bin}',
                '--disableArchive', '--disableAssembly', '--disableRetireJS', '--disableNodeJS',
                '--disableNodeAudit', '--disableNugetconf', '--disableNuspec', '--disableOpenSSL',
-               '--disableOssIndex', '--disableBundleAudit', '--cveValidForHours', '24', '-f', 'JSON']
+               '--disableOssIndex', '--disableBundleAudit', '--nvdValidForHours', '168',
+               '--nvdDatafeed', 'https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-{0}.json.gz', '-f', 'JSON']
+
     try:
-        run_analysis(command, dependency_check_run)
+        run_analysis(command)
     except Exception as ex:
         logger.info(f"Error to analyze .jar file - OSS information for .jar file isn't included in report.\n {ex}")
         success = False
