pkg/fanal/analyzer/language/python/packaging/packaging.go

package packaging

import (
	"archive/zip"
	"bytes"
	"context"
	"io"
	"os"
	"path/filepath"
	"strings"

	"golang.org/x/xerrors"

	dio "github.com/aquasecurity/go-dep-parser/pkg/io"
	"github.com/aquasecurity/go-dep-parser/pkg/python/packaging"
	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language"
	"github.com/aquasecurity/trivy/pkg/fanal/types"
)

func init() {
	analyzer.RegisterAnalyzer(&packagingAnalyzer{})
}

const version = 1

var (
	requiredFiles = []string{
		// .egg format
		// https://setuptools.readthedocs.io/en/latest/deprecated/python_eggs.html#eggs-and-their-formats
		".egg", // zip format
		"EGG-INFO/PKG-INFO",

		// .egg-info format: .egg-info can be a file or directory
		// https://setuptools.readthedocs.io/en/latest/deprecated/python_eggs.html#eggs-and-their-formats
		".egg-info",
		".egg-info/PKG-INFO",

		// wheel
		".dist-info/METADATA",
	}
)

type packagingAnalyzer struct{}

// Analyze analyzes egg and wheel files.
func (a packagingAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
	r := input.Content

	// .egg file is zip format and PKG-INFO needs to be extracted from the zip file.
	if strings.HasSuffix(input.FilePath, ".egg") {
		pkginfoInZip, err := a.analyzeEggZip(input.Content, input.Info.Size())
		if err != nil {
			return nil, xerrors.Errorf("egg analysis error: %w", err)
		}

		// Egg archive may not contain required files, then we will get nil. Skip this archives
		if pkginfoInZip == nil {
			return nil, nil
		}

		r = pkginfoInZip
	}

	p := packaging.NewParser()
	libs, deps, err := p.Parse(r)
	if err != nil {
		return nil, xerrors.Errorf("unable to parse %s: %w", input.FilePath, err)
	}

	return language.ToAnalysisResult(types.PythonPkg, input.FilePath, input.FilePath, libs, deps), nil
}

func (a packagingAnalyzer) analyzeEggZip(r io.ReaderAt, size int64) (dio.ReadSeekerAt, error) {
	zr, err := zip.NewReader(r, size)
	if err != nil {
		return nil, xerrors.Errorf("zip reader error: %w", err)
	}

	for _, file := range zr.File {
		if !a.Required(file.Name, nil) {
			continue
		}

		return a.open(file)
	}

	return nil, nil
}

func (a packagingAnalyzer) open(file *zip.File) (dio.ReadSeekerAt, error) {
	f, err := file.Open()
	if err != nil {
		return nil, err
	}
	defer f.Close()

	b, err := io.ReadAll(f)
	if err != nil {
		return nil, xerrors.Errorf("file %s open error: %w", file.Name, err)
	}

	return bytes.NewReader(b), nil
}

func (a packagingAnalyzer) Required(filePath string, _ os.FileInfo) bool {
	// For Windows
	filePath = filepath.ToSlash(filePath)

	for _, r := range requiredFiles {
		if strings.HasSuffix(filePath, r) {
			return true
		}
	}
	return false
}

func (a packagingAnalyzer) Type() analyzer.Type {
	return analyzer.TypePythonPkg
}

func (a packagingAnalyzer) Version() int {
	return version
}
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`package packaging`

			`import (`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`"archive/zip"`
feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`"bytes"`
refactor: add ctx object to analyser (fanal#303) 2021-10-06 19:18:50 +05:30			`"context"`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`"io"`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`"os"`
			`"path/filepath"`
			`"strings"`

			`"golang.org/x/xerrors"`

feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`dio "github.com/aquasecurity/go-dep-parser/pkg/io"`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`"github.com/aquasecurity/go-dep-parser/pkg/python/packaging"`
refactor: Fix fanal import paths and remove dotfiles 2022-06-20 09:43:33 +01:00			`"github.com/aquasecurity/trivy/pkg/fanal/analyzer"`
			`"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language"`
			`"github.com/aquasecurity/trivy/pkg/fanal/types"`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`)`

			`func init() {`
			`analyzer.RegisterAnalyzer(&packagingAnalyzer{})`
			`}`

			`const version = 1`

			`var (`
			`requiredFiles = []string{`
feat(python): support egg format (fanal#266) 2021-09-13 14:14:17 +03:00			`// .egg format`
			`// https://setuptools.readthedocs.io/en/latest/deprecated/python_eggs.html#eggs-and-their-formats`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`".egg", // zip format`
feat(python): support egg format (fanal#266) 2021-09-13 14:14:17 +03:00			`"EGG-INFO/PKG-INFO",`

			`// .egg-info format: .egg-info can be a file or directory`
			`// https://setuptools.readthedocs.io/en/latest/deprecated/python_eggs.html#eggs-and-their-formats`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`".egg-info",`
			`".egg-info/PKG-INFO",`

			`// wheel`
			`".dist-info/METADATA",`
			`}`
			`)`

			`type packagingAnalyzer struct{}`

			`// Analyze analyzes egg and wheel files.`
feat(java): support offline mode (fanal#349) 2021-12-24 08:26:10 +02:00			`func (a packagingAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {`
feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`r := input.Content`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00
			`// .egg file is zip format and PKG-INFO needs to be extracted from the zip file.`
feat(java): support offline mode (fanal#349) 2021-12-24 08:26:10 +02:00			`if strings.HasSuffix(input.FilePath, ".egg") {`
			`pkginfoInZip, err := a.analyzeEggZip(input.Content, input.Info.Size())`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`if err != nil {`
			`return nil, xerrors.Errorf("egg analysis error: %w", err)`
			`}`
feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00
			`// Egg archive may not contain required files, then we will get nil. Skip this archives`
			`if pkginfoInZip == nil {`
fix(python): fixed panic when scan .egg archive (fanal#446) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2022-04-14 14:34:17 +06:00			`return nil, nil`
			`}`

fix(analyzer): improve performance (fanal#314) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2021-12-24 03:15:36 +09:00			`r = pkginfoInZip`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`}`

feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`p := packaging.NewParser()`
			`libs, deps, err := p.Parse(r)`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`if err != nil {`
feat(java): support offline mode (fanal#349) 2021-12-24 08:26:10 +02:00			`return nil, xerrors.Errorf("unable to parse %s: %w", input.FilePath, err)`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`}`

feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`return language.ToAnalysisResult(types.PythonPkg, input.FilePath, input.FilePath, libs, deps), nil`
feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`}`

feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`func (a packagingAnalyzer) analyzeEggZip(r io.ReaderAt, size int64) (dio.ReadSeekerAt, error) {`
fix(analyzer): improve performance (fanal#314) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2021-12-24 03:15:36 +09:00			`zr, err := zip.NewReader(r, size)`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`if err != nil {`
			`return nil, xerrors.Errorf("zip reader error: %w", err)`
			`}`

			`for _, file := range zr.File {`
			`if !a.Required(file.Name, nil) {`
			`continue`
			`}`

			`return a.open(file)`
			`}`

			`return nil, nil`
			`}`

feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`func (a packagingAnalyzer) open(file *zip.File) (dio.ReadSeekerAt, error) {`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`f, err := file.Open()`
			`if err != nil {`
			`return nil, err`
			`}`
feat(lang): add parent dependencies (fanal#459) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2022-05-03 22:06:36 +06:00			`defer f.Close()`

			`b, err := io.ReadAll(f)`
			`if err != nil {`
			`return nil, xerrors.Errorf("file %s open error: %w", file.Name, err)`
			`}`

			`return bytes.NewReader(b), nil`
feat(python): support egg zip (fanal#267) 2021-09-13 15:02:06 +03:00			`}`

feat(python): add egg and wheel analyzer (fanal#223) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> 2021-08-19 16:32:24 +05:30			`func (a packagingAnalyzer) Required(filePath string, _ os.FileInfo) bool {`
			`// For Windows`
			`filePath = filepath.ToSlash(filePath)`

			`for _, r := range requiredFiles {`
			`if strings.HasSuffix(filePath, r) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func (a packagingAnalyzer) Type() analyzer.Type {`
			`return analyzer.TypePythonPkg`
			`}`

			`func (a packagingAnalyzer) Version() int {`
			`return version`
			`}`