Skip to content

Commit

Permalink
Changed PURL-PolicyEvaluator to use RegEx 'matches()', which fixes De…
Browse files Browse the repository at this point in the history 
…pendencyTrack#2144

Signed-off-by: Roland Asmann <roland.asmann@gmail.com>
  • Loading branch information
@malice00 @stephan-wolf-ais
malice00 authored and stephan-wolf-ais committed Mar 1, 2023
1 parent 7a24a27 commit 84159ba
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/main/java/org/dependencytrack/policy/PackageURLPolicyEvaluator.java
View file
Expand Up @@ -55,12 +55,19 @@ public List<PolicyConditionViolation> evaluate(final Policy policy, final Compon
}
for (final PolicyCondition condition: super.extractSupportedConditions(policy)) {
LOGGER.debug("Evaluating component (" + component.getUuid() + ") against policy condition (" + condition.getUuid() + ")");
String comparisonValueAsRegEx = condition.getValue();
if (!comparisonValueAsRegEx.startsWith("^") && !comparisonValueAsRegEx.startsWith(".*")) {
comparisonValueAsRegEx = ".*" + comparisonValueAsRegEx;
}
if (!comparisonValueAsRegEx.endsWith("$") && !comparisonValueAsRegEx.endsWith(".*")) {
comparisonValueAsRegEx += ".*";
}
if (PolicyCondition.Operator.MATCHES == condition.getOperator()) {
if (component.getPurl().canonicalize().contains(condition.getValue())) {
if (component.getPurl().canonicalize().matches(comparisonValueAsRegEx)) {
violations.add(new PolicyConditionViolation(condition, component));
}
} else if (PolicyCondition.Operator.NO_MATCH == condition.getOperator()) {
if (!component.getPurl().canonicalize().contains(condition.getValue())) {
if (!component.getPurl().canonicalize().matches(comparisonValueAsRegEx)) {
violations.add(new PolicyConditionViolation(condition, component));
}
}
Expand Down
90 changes: 90 additions & 0 deletions src/test/java/org/dependencytrack/policy/PackageURLPolicyEvaluatorTest.java
View file
Expand Up @@ -103,4 +103,94 @@ public void issue1925_no_match() throws Exception {
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(0, violations.size());
}

@Test
public void issue2144_existing1() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, "pkg:generic/com/acme/example-component@1.0");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}

@Test
public void issue2144_existing2() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, "/com/acme/");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}

@Test
public void issue2144_groupIdWithDotMatchesSlash() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, "/com.acme/");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}

@Test
public void issue2144_wildcard() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, ".*com.acme.*");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}

@Test
public void issue2144_wildcard2() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, ".*acme.*myCompany.*");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0-myCompanyFix-1?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0-myCompanyFix-1"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}

@Test
public void issue2144_wildcard3() throws Exception {
Policy policy = qm.createPolicy("Test Policy", Policy.Operator.ANY, Policy.ViolationState.INFO);
PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.PACKAGE_URL, PolicyCondition.Operator.MATCHES, ".*(a|b|c)cme.*");
Component component = new Component();
component.setPurl(new PackageURL("pkg:generic/com/acme/example-component@1.0?type=jar"));
component.setPurlCoordinates(new PackageURL("pkg:generic/com/acme/example-component@1.0"));
PolicyEvaluator evaluator = new PackageURLPolicyEvaluator();
List<PolicyConditionViolation> violations = evaluator.evaluate(policy, component);
Assert.assertEquals(1, violations.size());
PolicyConditionViolation violation = violations.get(0);
Assert.assertEquals(component, violation.getComponent());
Assert.assertEquals(condition, violation.getPolicyCondition());
}
}

0 comments on commit 84159ba

Please sign in to comment.