add ruby support (#3)

* Add support for ruby scanning

* use both jgem and gem for finding gem cache dirs

* small bug fixes / improvements

* fix windows bug, add error logs when operation fails

* add bundler info to README.md, fix gempath and nil panic bugs

* clean up code, fix bugs

* clean up README.md

* remove paren

Author: NoamDolovichWS

README.md

@@ -14,8 +14,9 @@ The supported packages managers are:
 
 * gradle
 * maven
+* bundler
 
-In addition, the tool will search for vulnerable files with the `.jar` extension.
+In addition, the tool will search for vulnerable files with the `.jar`,`.gem` extensions.
 
 ### Prerequisites:
 
@@ -40,6 +41,12 @@ In addition, the tool will search for vulnerable files with the `.jar` extension
        ```shell
        mvn install
        ```
+
+    * bundler projects __must__ be built prior to scanning, e.g. with the following command:
+       ```shell
+       jbundler install
+       ```
+
     * It is not necessary to run `gradle build` prior to scanning a `gradle` project, but that will greatly decrease the
       scan time
 
@@ -53,7 +60,8 @@ In order to scan your project, simply run the following command:
 log4j-detect scan -d PROJECT_DIR
 ```
 
-The folder can include source code that uses maven/gradle in the project, as well as binaries (i.e jar files)
+The folder can include source code that uses supported package managers in the project, as well binaries with the
+supported extensions mentioned above
 
 ## Installation
 

cmd/clioptions/settings/ruby.go

@@ -0,0 +1,33 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/log4j-detect/fs"
+	"github.com/whitesource/log4j-detect/operations"
+	rubyS "github.com/whitesource/log4j-detect/operations/ruby"
+	rc "github.com/whitesource/log4j-detect/records"
+	rubyQ "github.com/whitesource/log4j-detect/screening/ruby"
+	"github.com/whitesource/log4j-detect/utils/exec"
+)
+
+type RubyResolver struct {
+	Disabled bool
+}
+
+func (r RubyResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.ORuby: rubyQ.Query()}
+}
+
+func (r RubyResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.ORuby: rubyS.NewSurgeon(logger, commander),
+	}
+}

cmd/clioptions/settings/settings.go

@@ -3,7 +3,6 @@ package settings
 import (
 	"fmt"
 	"github.com/go-logr/logr"
-	"github.com/spf13/cobra"
 	"github.com/whitesource/log4j-detect/fs"
 	"github.com/whitesource/log4j-detect/fs/match"
 	"github.com/whitesource/log4j-detect/operations"
@@ -33,17 +32,15 @@ func (f *Flags) ToSettings(logger logr.Logger) (*Settings, error) {
 			Fs: FilesystemResolver{
 				Disabled: false,
 			},
+			Ruby: RubyResolver{
+				Disabled: false,
+			},
 		},
 		logger: logger,
 	}
 	return s, nil
 }
 
-func AddFlags(cmd *cobra.Command, f *Flags) {
-	cmd.Flags().BoolVarP(&f.mavenOnly, "maven-only", "m", false, "only scan for maven projects")
-	cmd.Flags().BoolVarP(&f.gradleOnly, "gradle-only", "g", false, "only scan for gradle projects")
-}
-
 // Settings represents all settings.
 // this includes logging parameters and other parameters that may modify the
 // behavior of resolvers for different package managers.
@@ -58,6 +55,7 @@ type Resolvers struct {
 	Gradle GradleResolver
 	Maven  MavenResolver
 	Fs     FilesystemResolver
+	Ruby   RubyResolver
 }
 
 type Resolver interface {
@@ -90,9 +88,9 @@ func (s *Settings) GlobalExcludes() match.Matcher {
 }
 
 func (r *Resolvers) ManifestQueries() map[records.Organ]*fs.Query {
-	return mergeQueries(r.Maven, r.Gradle, r.Fs)
+	return mergeQueries(r.Maven, r.Gradle, r.Fs, r.Ruby)
 }
 
 func (r *Resolvers) Surgeons(logger logr.Logger, commander exec.Commander) map[records.Organ]operations.Surgeon {
-	return mergeSurgeons(logger, commander, r.Maven, r.Gradle, r.Fs)
+	return mergeSurgeons(logger, commander, r.Maven, r.Gradle, r.Fs, r.Ruby)
 }

cmd/scan/cve/libs.json

@@ -23,12 +23,16 @@ var fixes = map[string]map[string]string{
 }
 
 //go:embed cve/libs.json
-var cveFiles []byte
+var libs []byte
 
-var cve2Lib []records.VulnerableLib
+type Sha1ToLib map[string]records.VulnerableLib
+
+type CveToSha1ToLib map[string]Sha1ToLib
+
+var cve2Sha2Lib CveToSha1ToLib
 
 func init() {
-	err := json.Unmarshal(cveFiles, &cve2Lib)
+	err := json.Unmarshal(libs, &cve2Sha2Lib)
 	if err != nil {
 		panic(fmt.Sprintf("failed to unmarshal libraries: %v", err))
 	}

cmd/scan/log4j.go

@@ -74,16 +74,14 @@ func (o *Options) Run() error {
 
 	operationResults := operations.Perform(o.Logger, detected, o.Settings.Resolvers.Surgeons(o.Logger, o.commander))
 	enhancedResults := supplements.Supplement(o.Logger, operationResults)
-	cves := o.addVulnerabilities(enhancedResults, cve2Lib)
+	cves := o.addVulnerabilities(enhancedResults, cve2Sha2Lib)
 
 	_, _ = fmt.Fprintln(o.Out)
 
 	if len(cves) > 0 {
 		o.displayVulnerabilities(enhancedResults)
 		_, _ = fmt.Fprintf(o.Out, `
 One or more of your projects contain the %s exploit.
-
-Remediation steps:
 %s
 Learn more about the vulnerability and it's remediation:
 %s
@@ -100,18 +98,16 @@ Learn more about the vulnerability and it's remediation:
 	return nil
 }
 
-func (o *Options) addVulnerabilities(results []records.EnhancedResult, vulnerableLibs []records.VulnerableLib) []string {
-	count := 0
+func (o *Options) addVulnerabilities(results []records.EnhancedResult, cve2Sha12Lib CveToSha1ToLib) []string {
 	cveMap := map[string]bool{}
 	for i := range results {
 		r := &results[i]
 		r.DepId2VulnerableLib = map[records.Id]records.VulnerableLib{}
 		for id, dep := range *r.Deps {
-			for _, lib := range vulnerableLibs {
-				if dep.Sha1 == lib.Sha1 {
+			for cve, sha12Lib := range cve2Sha12Lib {
+				if lib, ok := sha12Lib[dep.Sha1]; ok {
 					r.DepId2VulnerableLib[id] = lib
-					cveMap[lib.CVE] = true
-					count++
+					cveMap[cve] = true
 				}
 			}
 		}
@@ -141,7 +137,7 @@ func (o *Options) displayVulnerabilities(results []records.EnhancedResult) {
 				break
 			}
 
-			_, _ = fmt.Fprintln(o.Out, utils.MakeBlueText("Vulnerable Jars: "))
+			_, _ = fmt.Fprintln(o.Out, utils.MakeBlueText("Vulnerable Files: "))
 			for id := range r.DepId2VulnerableLib {
 				path := (*r.Libraries)[id].SystemPath
 				if abs, err := filepath.Abs(path); err == nil {
@@ -159,14 +155,19 @@ func (o *Options) generateRemediationSteps(results []records.EnhancedResult) str
 	for _, r := range results {
 		for _, v := range r.DepId2VulnerableLib {
 			if artifact2Fix, found := fixes[v.GroupId]; found {
-				if fix, found := artifact2Fix[v.ArtifactId]; found {
+				if fix, fixFound := artifact2Fix[v.ArtifactId]; fixFound {
 					set[fix] = true
 				}
 			}
 		}
 	}
 
+	if len(set) == 0 {
+		return ""
+	}
+
 	var steps strings.Builder
+	steps.WriteString("\nRemediation Steps:\n")
 	for fix := range set {
 		steps.WriteString(fmt.Sprintf("\t* %s\n", fix))
 	}

cmd/scan/scan.go

@@ -3,6 +3,7 @@ package match
 import (
 	"io/fs"
 	"regexp"
+	"strings"
 )
 
 // NameMatcher represents an arbitrary test for a file name (without leading directories)
@@ -34,3 +35,14 @@ func NewNameRegexMatcher(rs ...*regexp.Regexp) func(name string, _ fs.FileMode)
 		return false
 	}
 }
+
+func NewExtensionMatcher(extensions ...string) func(name string, _ fs.FileMode) bool {
+	return func(name string, _ fs.FileMode) bool {
+		for _, ext := range extensions {
+			if strings.HasSuffix(name, "."+ext) {
+				return true
+			}
+		}
+		return false
+	}
+}

fs/match/name.go

@@ -4,7 +4,6 @@ import (
 	_ "embed"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"github.com/go-logr/logr"
 	"github.com/whitesource/log4j-detect/records"
 	"github.com/whitesource/log4j-detect/utils"
@@ -229,12 +228,7 @@ func toStringList(strMap map[string]bool) (values []string) {
 
 // persistInitScript saves the gradle init script to a temp file and returns the path
 func persistInitScript() (string, error) {
-	file, err := ioutil.TempFile("", "gradle")
-	if err != nil {
-		return "", fmt.Errorf("gradle: failed to create temp file: %w", err)
-	}
-	_, err = file.WriteString(initScriptSource)
-	return file.Name(), err
+	return utils.CreateTempFile(initScriptSource, "gradle")
 }
 
 func buildOpResult(project Project) records.OperationResult {

operations/gradle/gradle.go

@@ -0,0 +1,25 @@
+require 'bundler'
+require 'json'
+
+def parse_lock(file_path)
+  parser = Bundler::LockfileParser.new(Bundler.read_file(file_path))
+
+  direct = parser.dependencies.keys
+  depsToChildren = {}
+  deps = {}
+
+  parser.specs.each do |spec|
+    children = []
+    spec.dependencies.each do |dep|
+      children << dep.name
+    end
+    depsToChildren[spec.name] = children
+    deps[spec.name] = {"name": spec.name, "version": spec.version.to_s}
+  end
+
+  res = { directDependencies: direct, depsToChildren: depsToChildren, dependencies: deps }
+  puts JSON.pretty_generate(res)
+end
+
+# ARGV[0] -> path to Gemfile.lock or gems.locked
+parse_lock(ARGV[0])