def generate_reports(output):
# Generate reports
summary_report = make_summary_report(output)
library_report = make_library_report(output)
vuln_report = make_vuln_report(output)
reports = summary_report + library_report + vuln_report
build_output(output, reports=reports)
return output
def find_vulns(output):
start_time = output.get("start_time")
dbcoordinates = output.get("dbcoordinates")
try:
vulns = search_vuln_using_versionrange(dbcoordinates)
cves = search_cve_database(vulns)
except KeyError as e:
# login id or password not available from environment
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except NameError as e:
# login id or password is empty
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except requests.exceptions.RequestException as e:
error_message = "ERROR: Dependency checker could not connect to vulnerability database.\n"
#error_message += str(e)
return build_output(output, code=4, error_message=error_message)
if vulns is not None:
build_output(output, vulns=vulns)
if cves is not None:
build_output(output, cves=cves)
end_time = time.time()
duration = (str(datetime.timedelta(
seconds=(end_time - start_time))).split(".")[0]) + " (hr:min:sec)"
message = "Dependency checker scanning completed.\n"
build_output(output, code=0, message=message, duration=duration)
print(message)
return output
def main(input_path):
'''
From a given Bower package path, installs dependent packages,
generates dependency tree, generates full package coordinates using from dependency tree,
then searches vulnerability database for any vulnerabilities
'''
output = {}
package_manager = "Bower"
start_time = time.time()
build_output(output, start_time=start_time,
package_manager=package_manager)
# Check if input path is valid. If not valid, exit with error message
package_path = os.path.abspath(input_path)
if is_valid_folder_path(package_path) is False:
error_message = ("ERROR: Invalid path entered for scan path. Please check the path before proceeding.")
return build_output(output, code=4, error_message=error_message, package_path=package_path)
build_output(output, package_path=package_path)
# Check if bower is installed
try:
bower_version_result, bower_version_stdout, bower_version_stderr =\
run_bower_version()
except FileNotFoundError:
error_message = "ERROR: Bower not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
message = "{} dependency checker started.".format(package_manager)
print(message)
message += "Scanning \"{}\" directory.".format(package_path)
build_output(output, message=message, start_time=start_time,
package_manager=package_manager, package_path=package_path)
# Check bower version
bower_version = get_bower_version(bower_version_stdout)
message = "Found Bower version: {}".format(bower_version)
build_output(output, message=message)
build_output(output, pkgmanager_version=bower_version)
print(message)
if not bower_json_exists(package_path):
error_message = ("ERROR: bower.json file not found. bower.json file is required for scanning.")
return build_output(output, code=4, error_message=error_message)
# Makes sure bower install command is ran successfully
install_result, install_stdout, install_stderr = run_bower_install(package_path)
if install_result is False:
error_message = ("ERROR: Dependency checker encountered an error while "
"installing dependencies using \"bower install\" command. "
"Please see the error message from bower below:\n\n")
error_message += install_stderr
return build_output(output, code=4, error_message=error_message)
dep_tree_result, dep_tree_stdout, dep_tree_stderr =\
get_dependency_tree_bower(package_path)
if dep_tree_result is True:
dep_tree = json.loads(dep_tree_stdout)
build_output(output, dep_tree=dep_tree)
else:
error_message = ("ERROR: Dependency checker encountered an error while "
"generating a dependency tree for your project using "
"\"bower list --json\" command. "
"Please see the error message from Bower below:\n\n")
error_message += dep_tree_stderr
return build_output(output, code=4, error_message=error_message)
coordinates = []
traverse_and_collect_dependencies_and_versions(dep_tree, coordinates)
coordinates_without_parent_project = coordinates[1:]
dbcoordinates = make_dbcoordinates(coordinates_without_parent_project)
build_output(output, dbcoordinates=dbcoordinates)
output = find_vulns(output)
# Process the output
code = output.get('code')
# If error, exit with error message
if code > 0:
return output
output = generate_reports(output)
print(output.get('reports', ""))
build_output(output)
return output
def main(input_path):
"""
"""
# This output dictionary will collect all the reports, stdouts, warning, and error messages for the final output
output = {}
# Checks if input path is valid. If not valid, exits with error message
package_path = os.path.abspath(input_path)
if is_valid_folder_path(package_path) is False:
error_message = (
"ERROR: Invalid path entered for scan path. Please check the path before proceeding."
)
return build_output(output, code=4, error_message=error_message)
package_manager = "Gradle"
message = "{} dependency checker started.".format(package_manager)
print(message)
message += "Scanning \"{}\" directory.".format(package_path)
start_time = time.time()
build_output(output,
message=message,
start_time=start_time,
package_manager=package_manager,
package_path=package_path)
gradle_wrapper_file_exists = False
# Makes sure gradle.build exists on input package's root
if not build_gradle_file_exists(package_path):
error_message = (
"ERROR: build.gradle file not found. build.gradle file is required for scanning."
)
return build_output(output, code=4, error_message=error_message)
# Check if gradle wrapper file exists in the package directory
if gradlew_file_exists(package_path):
gradle_wrapper_file_exists = True
message = "Found gradle wrapper in your project. Dependency checker will use the wrapper to scan your project."
print(message)
build_output(output, message=message)
# Checks if gradle is installed. Exits with error message if not installed
# Important: If gradle wrapper exists, ./gradlew --version will be used and will get the version from gradle wrapper
try:
gradle_version_run_result, gradle_version_run_stdout, gradle_version_run_stderr =\
run_gradle_version(package_path, gradle_wrapper_file_exists)
except PermissionError:
if gradle_wrapper_file_exists is True:
error_message = "Dependency checker does not have permission to execute gradlew file. Please make gradlew file executable before proceeding."
return build_output(output, code=4, error_message=error_message)
else:
# This case may not occur.
error_message = "Dependency checker does not have permission to execute gradle command. Please check if gradle is executable before proceeding."
return build_output(output, code=4, error_message=error_message)
except FileNotFoundError:
error_message = "ERROR: Gradle not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
if gradle_version_run_result is False:
error_message = "ERROR: Gradle not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
# Display gradle version
gradle_version = get_gradle_version(gradle_version_run_stdout)
if gradle_version is not None:
message = "Found Gradle version: {}".format(gradle_version)
print(message)
build_output(output, message=message)
message = "Gathering subproject information from your project..."
#print(message)
build_output(output, message=message)
gradle_projects_run_result, gradle_projects_stdout, gradle_projects_stderr =\
get_gradle_projects_unprocessed(package_path, gradlew_file_exists(package_path))
if gradle_projects_run_result is False:
error_message = (
"ERROR: Dependency checker encountered an error while gathering subproject information using "
"'gradle projects' command. "
"Please see the error message from Gradle below.\n\n")
error_message += gradle_projects_stderr
return build_output(output, code=4, error_message=error_message)
projects = parse_and_get_all_projects(gradle_projects_stdout)
if len(projects) > 0:
message = "Found following {} projects:\n".format(len(projects))
message += ", ".join(projects)
#print(message)
build_output(output, message=message)
message = "Generating dependency trees from each project..."
#print(message)
build_output(output, message=message)
# For each project (or subproject), get dependencies
try:
project_and_dependencies_stdout_map =\
get_raw_dependency_project_level_data_from_projects(
package_path, projects, gradle_wrapper_file_exists)
except ValueError as e:
return build_output(output, code=4, error_message=str(e))
project_dependencies_configs_map =\
get_raw_dependency_config_level_data(
project_and_dependencies_stdout_map)
# To use this scopes_to_exclude, may need to update text report generating funcs
# scopes_to_exclude = ("")
# filtered_coordinates = filter_coordinates_by_scope_exclusive(
# project_dependencies_configs_map, scopes_to_exclude)
scopes_to_include = ("compile", "implementation", "compileOnly",
"compileClasspath", "runtime", "runtimeOnly",
"runtimeClasspath", "default")
filtered_coordinates = filter_coordinates_by_scope_inclusive(
project_dependencies_configs_map, scopes_to_include)
dbcoordinates = convert_coordinates_to_dbcoordinates(filtered_coordinates)
build_output(output,
dbcoordinates=dbcoordinates,
scopes_included=scopes_to_include)
try:
vulns = search_vuln_using_versionrange(dbcoordinates)
cves = search_cve_database(vulns)
except KeyError as e:
# login id or password not available from environment
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except NameError as e:
# login id or password is empty
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except requests.exceptions.RequestException as e:
error_message = "ERROR: Dependency checker could not connect to vulnerability database.\n"
#error_message += str(e)
return build_output(output, code=4, error_message=error_message)
if vulns is not None:
build_output(output, vulns=vulns)
if cves is not None:
build_output(output, cves=cves)
end_time = time.time()
duration = (str(datetime.timedelta(
seconds=(end_time - start_time))).split(".")[0]) + " (hr:min:sec)"
message = "Dependency checker scanning completed.\n"
print(message)
build_output(output, message=message, duration=duration)
# Generate reports
summary_report = make_summary_report(output)
library_report = make_library_report(output)
vuln_report = make_vuln_report(output)
reports = summary_report + library_report + vuln_report
build_output(output, code=0, reports=reports)
print(reports)
return output
def main(input_path):
'''
Performs scanning on a given directory and returns vulnerability report and error messages that encountered
'''
# This output dictionary will collect all the reports, stdouts, warning, and error messages for the final output
output = {}
# Setup basic parameters to create a report
start_time = time.time()
package_manager = "Maven"
build_output(output,
package_manager=package_manager,
start_time=start_time)
# Check if input path is valid. If not valid, exit with error message
package_path = os.path.abspath(input_path)
if is_valid_folder_path(package_path) is False:
error_message = (
"ERROR: Invalid path entered for scan path. Please check the path before proceeding.\n"
)
return build_output(output,
code=4,
error_message=error_message,
package_path=package_path)
build_output(output, package_path=package_path)
# Makes sure maven is installed
try:
mvn_version_run_result, mvn_version_stdout, mvn_version_stderr = run_mvn_version(
)
except FileNotFoundError:
error_message = "ERROR: Maven not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
if mvn_version_run_result is False:
error_message = "ERROR: Maven not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
message = package_manager + " dependency checker started."
print(message) # print only the line above
#message += "\n"
message += "Scanning \"{}\" directory.".format(package_path)
build_output(output, message=message)
# Get maven version and check if the version is higher than 2.0 to support dependency:tree plugin
# If maven version info cannot be found. proceed to the next step regardless.
# If maven version doesn't support dependency:tree, exit.
mvn_version = get_mvn_version(mvn_version_stdout)
if mvn_version is not None:
message = "Found Maven version: {}".format(mvn_version)
build_output(output, message=message)
build_output(output, pkgmanager_version=mvn_version)
print(message)
# if check_mvn_version(mvn_version) is False:
# error_message = "ERROR: Dependency checker requires Maven version 3 or later. "
# error_message += "Your current Maven version is " + mvn_version + ". "
# error_message += "Please update your Maven before proceeding."
# return build_output(output, code=1, error_message=error_message)
else:
# maven version was not found.
warning_message = "WARNING: Could not verify installed version of Maven. "
warning_message += "Dependency checker will attempt to scan anyway."
build_output(output, warning_message=warning_message)
print(warning_message)
# Makes sure pom.xml exists on input package's root
if pom_xml_exists(package_path) is False:
error_message = "ERROR: pom.xml file not found. pom.xml file is required for scanning."
return build_output(output, code=4, error_message=error_message)
# Create a unique ID for each instance to generate unique dependency file
scan_id = uuid.uuid4().hex
dependency_tree_filepath = get_mvn_dependency_tree_filepath(scan_id)
message = "Generating a dependency tree file for your project..."
build_output(output, message=message)
generate_result, generate_stdout, generate_stderr = \
generate_dependency_tree_file(package_path, dependency_tree_filepath)
if generate_result is False:
error_message = (
"ERROR: Dependency checker encountered an error while generating a dependency tree file for your project using \"mvn dependency:tree\" command. "
"Please see the error message from Maven below:\n\n")
error_message += generate_stdout # When mvn dependency:tree fails, the output is directed to stdout (not stderr)
return build_output(output, code=4, error_message=error_message)
message = "Dependency tree file is generated at {}".format(
dependency_tree_filepath)
#print(message)
build_output(output, message=message)
lines = _get_lines_from_file(dependency_tree_filepath)
coordinates = get_all_coordinates(lines)
scopes_to_exclude = ["test"]
coordinates_test_scope_excluded =\
filter_coordinates_by_scope(coordinates, scopes_to_exclude)
dbcoordinates =\
convert_coordinates_to_dbcoordinates(coordinates_test_scope_excluded)
build_output(output,
dbcoordinates=dbcoordinates,
scopes_excluded=scopes_to_exclude)
try:
vulns = search_vuln_using_versionrange(dbcoordinates)
cves = search_cve_database(vulns)
except KeyError as e:
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except NameError as e:
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except requests.exceptions.RequestException as e:
error_message = "ERROR: Dependency checker could not connect to vulnerability database.\n"
return build_output(output, code=4, error_message=error_message)
if vulns is not None:
build_output(output, vulns=vulns)
if cves is not None:
build_output(output, cves=cves)
end_time = time.time()
duration = (str(datetime.timedelta(
seconds=(end_time - start_time))).split(".")[0]) + " (hr:min:sec)"
message = "Dependency checker scanning completed.\n"
build_output(output, message=message, duration=duration)
print(message)
# Deletes generated dependency tree file in temp folder
try:
delete_dependency_file(dependency_tree_filepath)
except OSError:
pass
else:
message = "Dependency tree file at {} is removed.\n".format(
dependency_tree_filepath)
build_output(output, message=message)
#print(message)
# Generate reports
summary_report = make_summary_report(output)
library_report = make_library_report(output)
vuln_report = make_vuln_report(output)
reports = summary_report + library_report + vuln_report
build_output(output, code=0, reports=reports)
print(reports)
return output
def main(input_path):
'''
From a given NPM package path, installs npm dependency packages,
generates dependency tree, generates full package coordinates using from dependency tree,
then searches vulnerability database for any matching vulnerabilities
'''
# This output dictionary will collect all the reports, stdouts, warning, and error messages for the final output
output = {}
package_manager = "NPM"
start_time = time.time()
build_output(output,
package_manager=package_manager,
start_time=start_time)
# Check if input path is valid. If not valid, exit with error message
package_path = os.path.abspath(input_path)
if is_valid_folder_path(package_path) is False:
error_message = (
"ERROR: Invalid path entered for scan path. Please check the path before proceeding."
)
return build_output(output,
code=4,
error_message=error_message,
package_path=package_path)
build_output(output, package_path=package_path)
# Checks if npm is installed. If not installed, exit with error message
try:
npm_ver_run_result, npm_ver_stdout, npm_err_stderr = run_npm_version()
except FileNotFoundError:
error_message = "ERROR: NPM not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
if npm_ver_run_result is False:
error_message = "ERROR: NPM not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
message = "{} dependency checker started.".format(package_manager)
print(message)
message += "Scanning \"{}\" directory.".format(package_path)
build_output(output,
message=message,
start_time=start_time,
package_manager=package_manager,
package_path=package_path)
npm_version = get_npm_version(npm_ver_stdout)
if npm_version is not None:
print("Found NPM version: {}".format(npm_version))
# Quit if package.json file does not exist
if not package_json_exists(package_path):
error_message = (
"ERROR: package.json file not found. package.json file is required for scanning."
)
return build_output(output, code=4, error_message=error_message)
# Lockfile exists.
if package_lock_json_exists(package_path) or npm_shrinkwrap_json_exists(
package_path):
message = "Dependency checker is installing your project's dependencies by running \"npm ci\" command..."
print(message)
build_output(output, message=message)
ci_run_result, ci_output, ci_error = run_npm_ci(package_path)
if ci_run_result is True:
dep_tree_run_result, dep_tree_output, dep_tree_error = get_dependency_tree_npm(
package_path)
if dep_tree_run_result is True:
output = analyze_and_report(package_manager, package_path,
dep_tree_output, start_time,
output)
return output
else:
warning_message = (
"WARNING: Dependency checker encountered an error while gathering dependencies using \"npm list\" command. "
"Dependency checker does not look for vulnerabilities in missing dependencies. Please resolve any missing dependencies. "
"Please see the error message from npm below:\n\n")
warning_message += dep_tree_error
build_output(output, warning_message=warning_message)
print(warning_message)
output = analyze_and_report(package_manager, package_path,
dep_tree_output, start_time,
output)
return output
else:
# npm ci failed
error_message = (
"ERROR: Dependency checker encountered an error while installing dependnecies "
"using \"npm ci\" command. "
"Please see the error message from npm below:\n\n")
error_message += ci_error
return build_output(output, code=4, error_message=error_message)
# Lockfile does not exists
message = "Dependency checker is installing your project's dependencies by running \"npm install\" command..."
print(message)
build_output(output, message=message)
# Run npm install
install_run_result, install_output, install_error = run_npm_install(
package_path)
if install_run_result is True:
# Get dependencies after npm install
dep_tree_run_result, dep_tree_output, dep_tree_error =\
get_dependency_tree_npm(package_path)
if dep_tree_run_result is True:
output = analyze_and_report(package_manager, package_path,
dep_tree_output, start_time, output)
return output
else:
warning_message = (
"WARNING: Dependency checker encountered an error while gathering dependencies using \"npm list\" command. "
"Dependency checker does not look for vulnerabilities in missing dependencies. Plese resolve any missing dependencies. "
"Please see the error message from npm below:\n\n")
warning_message += dep_tree_error
build_output(output, warning_message=warning_message)
print(warning_message)
output = analyze_and_report(package_manager, package_path,
dep_tree_output, start_time, output)
return output
else:
# npm install failed. display error message
error_message = (
"ERROR: Dependency checker encountered an error while installing dependencies using \"npm install\" command. "
"Please see the error message from npm below:\n\n")
error_message += install_error
return build_output(output, code=4, error_message=error_message)
def analyze_and_report(package_manager, package_path, dep_tree_output,
start_time, output):
dependencies = dep_tree_output.splitlines()
dbcoordinates = make_dbcoordinates(dependencies)
build_output(output, dbcoordinates=dbcoordinates)
try:
vulns = search_vuln_using_versionrange(dbcoordinates)
cves = search_cve_database(vulns)
except KeyError as e:
# login id or password not available from environment
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except NameError as e:
# login id or password is empty
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except requests.exceptions.RequestException as e:
error_message = "ERROR: Dependency checker could not connect to vulnerability database.\n"
#error_message += str(e)
return build_output(output, code=4, error_message=error_message)
if vulns is not None:
build_output(output, vulns=vulns)
if cves is not None:
build_output(output, cves=cves)
end_time = time.time()
duration = (str(datetime.timedelta(
seconds=(end_time - start_time))).split(".")[0]) + " (hr:min:sec)"
message = "Dependency checker scanning completed.\n"
build_output(output, message=message, duration=duration)
print(message)
# Generate reports
summary_report = make_summary_report(output)
library_report = make_library_report(
output
) # num of total lib = # of unique full coords (exclude missing for now)
vuln_report = make_vuln_report(output)
reports = summary_report + library_report + vuln_report
build_output(output, code=0, reports=reports)
print(reports)
return output
def main(input_path):
'''
'''
output = {}
package_manager = "Yarn"
start_time = time.time()
build_output(output,
package_manager=package_manager,
start_time=start_time)
# Check if input path is valid. If not valid, exit with error message
package_path = os.path.abspath(input_path)
if is_valid_folder_path(package_path) is False:
error_message = (
"ERROR: Invalid path entered for scan path. Please check the path before proceeding.\n"
)
return build_output(output,
code=4,
error_message=error_message,
package_path=package_path)
build_output(output, package_path=package_path)
# Check yarn is installed
try:
yarn_version = get_yarn_version()
except FileNotFoundError:
error_message = "ERROR: Yarn not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
# Check node is installed
try:
node_version = get_node_version()
except FileNotFoundError:
error_message = "ERROR: Node.js not found in your system. Please install it before proceeding."
return build_output(output, code=4, error_message=error_message)
message = package_manager + " dependency checker started."
print(message)
message += "Scanning \"{}\" directory.".format(package_path)
build_output(output,
message=message,
start_time=start_time,
package_manager=package_manager,
package_path=package_path)
if yarn_version is not None:
message = "Found Yarn version: {}".format(yarn_version)
build_output(output, message=message, pkgmanager_version=yarn_version)
print(message)
else:
# yarn version was not found.
warning_message = "WARNING: Could not verify installed version of Yarn. "
warning_message += "Dependency checker will attempt to scan anyway."
build_output(output, warning_message=warning_message)
print(warning_message)
if node_version is not None:
message = "Found Node version: {}".format(node_version)
build_output(output, message=message)
#print(message)
else:
# node version was not found.
warning_message = "WARNING: Could not verify installed version of node.js. "
warning_message += "Dependency checker will attempt to scan anyway."
build_output(output, warning_message=warning_message)
#print(warning_message)
# Check yarn.lock exists on input package's root
if yarn_lock_exists(package_path) is False:
error_message = "ERROR: yarn.lock file not found. yarn.lock file is required for scanning."
return build_output(output, code=4, error_message=error_message)
# Test if package can be installed
message = "Dependency checker is installing your project's dependencies by running \"yarn install --frozen-lockfile\" command..."
print(message)
build_output(output, message=message)
install_result, install_output, install_error = run_yarn_install(
package_path)
if install_result is False:
# yarn install failed. display error message and exit
error_message = (
"ERROR: Dependency checker encountered an error while installing your project's "
"dependencies using \"yarn install --frozen-lockfile\" command. "
"Please see the error message from yarn below:\n\n")
error_message += install_error
return build_output(output, code=4, error_message=error_message)
run_id = uuid.uuid4().hex
yarn_lock_filepath = get_yarn_lock_filepath(package_path)
run_result, run_stdout, run_stderr =\
convert_yarnlock_file_to_json(yarn_lock_filepath, run_id)
if run_result is True:
dependency_tree_filepath = run_stdout
else:
error_message = (
"ERROR: Dependency checker encountered an error while gathering dependencies.\n\n"
)
error_message += run_stderr
return build_output(output, code=4, error_message=error_message)
yarnlock_json = load_yarnlock_jsonfile(dependency_tree_filepath)
pkgcoordinates, dbcoordinates =\
make_pkgcoordinates_and_dbcoordinates_from_yarnlock_json(yarnlock_json)
build_output(output, dbcoordinates=dbcoordinates)
try:
vulns = search_vuln_using_versionrange(dbcoordinates)
cves = search_cve_database(vulns)
except KeyError as e:
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except NameError as e:
error_message = str(e)
return build_output(output, code=4, error_message=error_message)
except requests.exceptions.RequestException as e:
error_message = "ERROR: Dependency checker could not connect to vulnerability database.\n"
#error_message += str(e)
return build_output(output, code=4, error_message=error_message)
if vulns is not None:
build_output(output, vulns=vulns)
if cves is not None:
build_output(output, cves=cves)
end_time = time.time()
duration = (str(datetime.timedelta(
seconds=(end_time - start_time))).split(".")[0]) + " (hr:min:sec)"
message = "Dependency checker scanning completed.\n"
build_output(output, message=message, duration=duration)
print(message)
# Deletes generated dependency tree file in temp folder
try:
os.remove(dependency_tree_filepath)
except OSError:
pass
else:
message = "Dependency tree file at {} is removed.\n".format(
dependency_tree_filepath)
build_output(output, message=message)
# print(message)
# Generate reports
summary_report = make_summary_report(output)
library_report = make_library_report(output)
vuln_report = make_vuln_report(output)
reports = summary_report + library_report + vuln_report
build_output(output, code=0, reports=reports)
print(reports)
return output