Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[K9VULN-2465] Add validation of package names #1512

Merged
merged 3 commits into from
Jan 2, 2025
Merged

[K9VULN-2465] Add validation of package names #1512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2895794
add validation of dependency names
juli1 Dec 24, 2024
2f3aa60
fix import
juli1 Dec 24, 2024
b5a6958
fix linting
juli1 Dec 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 61 additions & 1 deletion src/commands/sbom/__tests__/validation.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
import {getValidator, validateFileAgainstToolRequirements, validateSbomFileAgainstSchema} from '../validation'
import {DependencyLanguage} from '../types'
import {
getValidator,
validateDependencyName,
validateFileAgainstToolRequirements,
validateSbomFileAgainstSchema,
} from '../validation'

const validator = getValidator()

Expand Down Expand Up @@ -70,4 +76,58 @@ describe('validation of sbom file', () => {
).toBeFalsy()
expect(validateFileAgainstToolRequirements('./src/commands/sbom/__tests__/fixtures/random-data', true)).toBeFalsy()
})
test('should have valid package name', () => {
expect(
validateDependencyName({
name: 'foo bar',
language: DependencyLanguage.PYTHON,
version: undefined,
group: undefined,
licenses: [],
purl: '',
locations: [],
is_direct: undefined,
package_manager: 'pypi',
})
).toBeFalsy()
expect(
validateDependencyName({
name: 'foobar',
language: DependencyLanguage.PYTHON,
version: undefined,
group: undefined,
licenses: [],
purl: '',
locations: [],
is_direct: undefined,
package_manager: 'pypi',
})
).toBeTruthy()
expect(
validateDependencyName({
name: 'py',
language: DependencyLanguage.PYTHON,
version: undefined,
group: undefined,
licenses: [],
purl: '',
locations: [],
is_direct: undefined,
package_manager: 'pypi',
})
).toBeTruthy()
expect(
validateDependencyName({
name: 'rx',
language: DependencyLanguage.PYTHON,
version: undefined,
group: undefined,
licenses: [],
purl: '',
locations: [],
is_direct: undefined,
package_manager: 'pypi',
})
).toBeTruthy()
})
})
1 change: 1 addition & 0 deletions src/commands/sbom/payload.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ export const generatePayload = (

if (component['type'] === 'library') {
const dependency = extractingDependency(component)

if (dependency !== undefined) {
dependencies.push(dependency)
}
Expand Down
15 changes: 15 additions & 0 deletions src/commands/sbom/renderer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ import chalk from 'chalk'

import {getBaseUrl} from '../junit/utils'

import {Dependency} from './types'
import {validateDependencyName} from './validation'

const ICONS = {
FAILED: '❌',
SUCCESS: '✅',
Expand Down Expand Up @@ -74,3 +77,15 @@ export const renderSuccessfulCommand = (duration: number) => {

return fullStr
}

export const renderPayloadWarning = (dependencies: Dependency[]): string => {
let ret = ''

for (const dep of dependencies) {
if (!validateDependencyName(dep)) {
ret += `invalid dependency name ${dep.name}\n`
}
}

return ret
}
Comment on lines +81 to +91
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we prettify this information similar to what we do in renderMissingTags, so it's easier to notice for end-users?

Suggested change
export const renderPayloadWarning = (dependencies: Dependency[]): string => {
let ret = ''
for (const dep of dependencies) {
if (!validateDependencyName(dep)) {
ret += `invalid dependency name ${dep.name}\n`
}
}
return ret
}
export const renderPayloadWarning = (dependencies: Dependency[]): string => {
const errors = []
for (const dep of dependencies) {
if (!validateDependencyName(dep)) {
errors.push(chalk.red(` - invalid dependency name ${dep.name}\n`))
}
}
if (errors.length === 0) {
return ''
}
let baseHeading = 'The following issues were detected:\n'
return baseHeading += errors.join('')
}

5 changes: 5 additions & 0 deletions src/commands/sbom/upload.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import {
renderInvalidFile,
renderInvalidPayload,
renderNoDefaultBranch,
renderPayloadWarning,
renderSuccessfulCommand,
renderUploading,
} from './renderer'
Expand Down Expand Up @@ -130,12 +131,16 @@ export class UploadSbomCommand extends Command {
// Upload content
try {
const scaPayload = generatePayload(jsonContent, tags, service, environment)

if (!scaPayload) {
this.context.stdout.write(renderInvalidPayload(basePath))

return 1
}
this.context.stdout.write(renderPayloadWarning(scaPayload.dependencies))

this.context.stdout.write(renderUploading(basePath))

await api(scaPayload)
if (this.debug) {
this.context.stdout.write(`Upload done for ${basePath}.\n`)
Expand Down
11 changes: 11 additions & 0 deletions src/commands/sbom/validation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import cycloneDxSchema14 from './json-schema/cyclonedx/bom-1.4.schema.json'
import cycloneDxSchema15 from './json-schema/cyclonedx/bom-1.5.schema.json'
import jsfSchema from './json-schema/jsf/jsf-0.82.schema.json'
import spdxSchema from './json-schema/spdx/spdx.schema.json'
import {Dependency, DependencyLanguage} from './types'

/**
* Get the validate function. Read all the schemas and return
Expand Down Expand Up @@ -147,3 +148,13 @@ export const validateFileAgainstToolRequirements = (path: string, debug: boolean

return true
}

const pythonPackaNameRegex = new RegExp('^[a-zA-Z0-9][a-zA-Z0-9\\-_.]*[a-zA-Z0-9]$')

export const validateDependencyName = (dependency: Dependency): boolean => {
if (dependency.language === DependencyLanguage.PYTHON && !pythonPackaNameRegex.test(dependency.name)) {
Comment on lines +152 to +155
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const pythonPackaNameRegex = new RegExp('^[a-zA-Z0-9][a-zA-Z0-9\\-_.]*[a-zA-Z0-9]$')
export const validateDependencyName = (dependency: Dependency): boolean => {
if (dependency.language === DependencyLanguage.PYTHON && !pythonPackaNameRegex.test(dependency.name)) {
const pythonPackageNameRegex = new RegExp('^[a-zA-Z0-9][a-zA-Z0-9\\-_.]*[a-zA-Z0-9]$')
export const validateDependencyName = (dependency: Dependency): boolean => {
if (dependency.language === DependencyLanguage.PYTHON && !pythonPackageNameRegex.test(dependency.name)) {

return false
}

return true
}
Loading