add source code

Author: nabeelsaabna

.gitignore

@@ -0,0 +1,11 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
+
+*.iml
+.idea/

.goreleaser.yml

@@ -0,0 +1,66 @@
+project_name: log4j-detect
+
+release:
+  prerelease: auto
+  name_template: "{{.ProjectName}}-v{{.Version}}"
+
+  github:
+    owner: whitesource
+    name: log4j-detect-distribution
+
+changelog:
+  skip: true
+
+before:
+  hooks:
+    - go mod tidy
+
+checksum:
+  algorithm: sha256
+  # Disable the generation/upload of the checksum file.
+  disable: false
+
+builds:
+  - <<: &build_defaults
+      binary: log4j-detect
+      main: ./main.go
+
+    id: linux
+    goos: [ linux ]
+    goarch: [ amd64, arm64 ]
+
+  - <<: *build_defaults
+    id: windows
+    goos: [ windows ]
+    goarch: [ amd64, arm64 ]
+
+  - <<: *build_defaults
+    id: macos
+    goos: [ darwin ]
+    goarch: [ amd64, arm64 ]
+
+
+archives:
+  - <<: &archive_defaults
+      name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
+      wrap_in_directory: "false"
+      files:
+        - none*
+    id: unix
+    builds: [ linux, macos ]
+    format: tar.gz
+
+  - <<: *archive_defaults
+    id: windows
+    builds: [ windows ]
+    format: zip
+
+nfpms:
+  - maintainer: WhiteSource
+    vendor: WhiteSource
+    homepage: https://github.com/whitesource/icu-log4j-distribution
+    description: Tool for discovering "log4shell" exploit
+    bindir: /usr/bin
+    formats:
+      - deb
+      - rpm

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 nabeel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

cmd/clioptions/options.go

@@ -0,0 +1,25 @@
+package clioptions
+
+import (
+	"io"
+	"os"
+)
+
+// IOStreams provides the standard names for iostreams.
+type IOStreams struct {
+	// In think, os.Stdin
+	In io.Reader
+	// Out think, os.Stdout
+	Out io.Writer
+	// ErrOut think, os.Stderr
+	ErrOut io.Writer
+}
+
+// StandardIOStreams returns an IOStreams from os.Stdin, os.Stdout
+func StandardIOStreams() IOStreams {
+	return IOStreams{
+		In:     os.Stdin,
+		Out:    os.Stdout,
+		ErrOut: os.Stderr,
+	}
+}

cmd/clioptions/settings/fs.go

@@ -0,0 +1,33 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/log4j-detect/fs"
+	"github.com/whitesource/log4j-detect/operations"
+	fsop "github.com/whitesource/log4j-detect/operations/fs"
+	rc "github.com/whitesource/log4j-detect/records"
+	fsscreen "github.com/whitesource/log4j-detect/screening/fs"
+	"github.com/whitesource/log4j-detect/utils/exec"
+)
+
+type FilesystemResolver struct {
+	Disabled bool
+}
+
+func (r FilesystemResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OFS: fsscreen.Query()}
+}
+
+func (r FilesystemResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OFS: fsop.NewSurgeon(logger, commander),
+	}
+}

cmd/clioptions/settings/gradle.go

@@ -0,0 +1,38 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/log4j-detect/fs"
+	"github.com/whitesource/log4j-detect/operations"
+	gradleS "github.com/whitesource/log4j-detect/operations/gradle"
+	rc "github.com/whitesource/log4j-detect/records"
+	gradleQ "github.com/whitesource/log4j-detect/screening/gradle"
+	"github.com/whitesource/log4j-detect/utils/exec"
+)
+
+type GradleResolver struct {
+	Disabled       bool
+	AdditionalArgs []string
+	Configurations struct {
+		Include []string
+		Exclude []string
+	}
+}
+
+func (r GradleResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OGradle: gradleQ.Query()}
+}
+
+func (r GradleResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OGradle: gradleS.NewSurgeon(logger, commander, r.AdditionalArgs, r.Configurations.Include, r.Configurations.Exclude),
+	}
+}

cmd/clioptions/settings/maven.go

@@ -0,0 +1,38 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/log4j-detect/fs"
+	"github.com/whitesource/log4j-detect/operations"
+	mavenS "github.com/whitesource/log4j-detect/operations/maven"
+	rc "github.com/whitesource/log4j-detect/records"
+	mavenQ "github.com/whitesource/log4j-detect/screening/maven"
+	"github.com/whitesource/log4j-detect/utils/exec"
+)
+
+type MavenResolver struct {
+	Disabled       bool
+	AdditionalArgs []string
+	Scopes         struct {
+		Include []string
+		Exclude []string
+	}
+}
+
+func (r MavenResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OMaven: mavenQ.Query()}
+}
+
+func (r MavenResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OMaven: mavenS.NewSurgeon(logger, commander, r.AdditionalArgs, r.Scopes.Include, r.Scopes.Exclude),
+	}
+}

cmd/clioptions/settings/settings.go

@@ -0,0 +1,98 @@
+package settings
+
+import (
+	"fmt"
+	"github.com/go-logr/logr"
+	"github.com/spf13/cobra"
+	"github.com/whitesource/log4j-detect/fs"
+	"github.com/whitesource/log4j-detect/fs/match"
+	"github.com/whitesource/log4j-detect/operations"
+	"github.com/whitesource/log4j-detect/records"
+	"github.com/whitesource/log4j-detect/utils/exec"
+	"regexp"
+)
+
+type Flags struct {
+	mavenOnly  bool
+	gradleOnly bool
+}
+
+func (f *Flags) ToSettings(logger logr.Logger) (*Settings, error) {
+	if f.mavenOnly && f.gradleOnly {
+		return nil, fmt.Errorf("bad")
+	}
+
+	s := &Settings{
+		Resolvers: Resolvers{
+			Gradle: GradleResolver{
+				Disabled: f.mavenOnly,
+			},
+			Maven: MavenResolver{
+				Disabled: f.gradleOnly,
+			},
+			Fs: FilesystemResolver{
+				Disabled: false,
+			},
+		},
+		logger: logger,
+	}
+	return s, nil
+}
+
+func AddFlags(cmd *cobra.Command, f *Flags) {
+	cmd.Flags().BoolVarP(&f.mavenOnly, "maven-only", "m", false, "only scan for maven projects")
+	cmd.Flags().BoolVarP(&f.gradleOnly, "gradle-only", "g", false, "only scan for gradle projects")
+}
+
+// Settings represents all settings.
+// this includes logging parameters and other parameters that may modify the
+// behavior of resolvers for different package managers.
+// It does not contain authentication information - this should be stored in a profile or passed as arguments.
+type Settings struct {
+	Resolvers Resolvers
+	Excludes  []string
+	logger    logr.Logger
+}
+
+type Resolvers struct {
+	Gradle GradleResolver
+	Maven  MavenResolver
+	Fs     FilesystemResolver
+}
+
+type Resolver interface {
+	Queries() map[records.Organ]*fs.Query
+	Surgeons(logger logr.Logger, commander exec.Commander) map[records.Organ]operations.Surgeon
+}
+
+var defaultExcludes = match.Or(
+	match.FilenameRegex(regexp.MustCompile("^target$")),
+)
+
+func (s *Settings) GlobalExcludes() match.Matcher {
+	if s.Excludes == nil {
+		return defaultExcludes
+	}
+
+	if len(s.Excludes) == 0 {
+		return nil
+	}
+
+	var excludeMatchers []match.Matcher
+	for _, e := range s.Excludes {
+		if r, err := regexp.Compile(e); err == nil {
+			excludeMatchers = append(excludeMatchers, match.FilenameRegex(r))
+		} else {
+			s.logger.Info("invalid regex syntax found in excludes", "regex", e)
+		}
+	}
+	return match.Or(excludeMatchers...)
+}
+
+func (r *Resolvers) ManifestQueries() map[records.Organ]*fs.Query {
+	return mergeQueries(r.Maven, r.Gradle, r.Fs)
+}
+
+func (r *Resolvers) Surgeons(logger logr.Logger, commander exec.Commander) map[records.Organ]operations.Surgeon {
+	return mergeSurgeons(logger, commander, r.Maven, r.Gradle, r.Fs)
+}

cmd/clioptions/settings/settings_test.go

@@ -0,0 +1,23 @@
+package settings
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestSettings_GlobalExcludes(t *testing.T) {
+	s := Settings{}
+	assert.Equal(t, s.GlobalExcludes(), defaultExcludes)
+
+	s = Settings{
+		Excludes: []string{},
+	}
+	assert.NotEqual(t, s.GlobalExcludes(), defaultExcludes)
+
+	s = Settings{
+		Excludes: []string{"^\\.git$", "^node_modules$"},
+	}
+	exclude := s.GlobalExcludes()
+	assert.True(t, exclude.Match(".git", "", 0))
+	assert.True(t, exclude.Match("node_modules", "", 0))
+}