feat: Add support for Javascript package scanning (Fixes intel#1453)

anthonyharrison · Jan 25, 2022 · dcb8411 · dcb8411
1 parent 9934aed
commit dcb8411
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import json
 import os
 import subprocess
 import sys
@@ -118,6 +119,7 @@ def is_executable(self, filename):
                 and ("PKG-INFO: " not in output)
                 and ("METADATA: " not in output)
                 and ("pom.xml" not in output)
+                and ("package-lock.json" not in output)
             ):
                 return False, None
         # otherwise use python implementation of file
@@ -168,6 +170,11 @@ def scan_file(self, filename):
             java_lines = "\n".join(lines.splitlines())
             yield from self.run_java_checker(filename, java_lines)
 
+        # Javascript checker
+        if output and "package-lock.json" in output:
+            javascript_lines = "\n".join(lines.splitlines())
+            yield from self.run_js_checker(filename, javascript_lines)
+
         #  If python package then strip the lines to avoid detecting other product strings
         if output and ("PKG-INFO: " in output or "METADATA: " in output):
             py_lines = "\n".join(lines.splitlines()[:3])
@@ -243,6 +250,44 @@ def run_java_checker(self, filename, lines):
 
         self.logger.debug(f"Done scanning file: {filename}")
 
+    def find_js_vendor(self, product, version):
+        """Find vendor for Javascript product"""
+        vendor_package_pair = self.cve_db.get_vendor_product_pairs(product)
+        if vendor_package_pair != []:
+            vendor = vendor_package_pair[0]["vendor"]
+            file_path = "".join(self.file_stack)
+            if version[0] == "^":
+                version = version[1:]
+            self.logger.debug(f"{file_path} {product} {version} by {vendor}")
+            return ProductInfo(vendor, product, version), file_path
+        return None, None
+
+    def run_js_checker(self, filename, lines):
+        """Process package-lock.json file and extract product and dependency details"""
+        fh = open(filename)
+        # returns JSON object as a dictionary
+        data = json.load(fh)
+        product = data["name"]
+        version = data["version"]
+        product_info, file_path = self.find_js_vendor(product, version)
+        if file_path is not None:
+            yield product_info, file_path
+        # Now process dependencies
+        for i in data["dependencies"]:
+            product_info, file_path = self.find_js_vendor(
+                i, data["dependencies"][i]["version"]
+            )
+            if file_path is not None:
+                yield product_info, file_path
+            if "requires" in data["dependencies"][i]:
+                for r in data["dependencies"][i]["requires"]:
+                    product_info, file_path = self.find_js_vendor(
+                        r, data["dependencies"][i]["requires"][r]
+                    )
+                    if file_path is not None:
+                        yield product_info, file_path
+        self.logger.debug(f"Done scanning file: {filename}")
+
     def run_python_package_checkers(self, filename, lines):
         """
         This generator runs only for python packages.