up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -401,7 +401,8 @@ internal static partial class DotNetCapabilityScanner
|
||||
}
|
||||
|
||||
// DataContractSerializer - Medium
|
||||
if (strippedLine.Contains("DataContractSerializer"))
|
||||
if (strippedLine.Contains("DataContractSerializer") &&
|
||||
!strippedLine.Contains("NetDataContractSerializer"))
|
||||
{
|
||||
evidences.Add(new DotNetCapabilityEvidence(
|
||||
CapabilityKind.Serialization,
|
||||
|
||||
@@ -14,15 +14,12 @@ internal static class JavaCapabilityScanner
|
||||
[
|
||||
// Runtime.exec - most common command execution
|
||||
(new Regex(@"Runtime\s*\.\s*getRuntime\s*\(\s*\)\s*\.\s*exec\s*\(", RegexOptions.Compiled), "Runtime.exec", CapabilityRisk.Critical, 1.0f),
|
||||
(new Regex(@"\.exec\s*\(\s*(?:new\s+String\s*\[\]|"")", RegexOptions.Compiled), "Runtime.exec(String[])", CapabilityRisk.Critical, 0.95f),
|
||||
(new Regex(@"\.exec\s*\(\s*new\s+String\s*\[", RegexOptions.Compiled), "Runtime.exec(String[])", CapabilityRisk.Critical, 0.95f),
|
||||
|
||||
// ProcessBuilder
|
||||
(new Regex(@"new\s+ProcessBuilder\s*\(", RegexOptions.Compiled), "ProcessBuilder", CapabilityRisk.Critical, 1.0f),
|
||||
(new Regex(@"ProcessBuilder\s*\.\s*command\s*\(", RegexOptions.Compiled), "ProcessBuilder.command", CapabilityRisk.Critical, 0.95f),
|
||||
(new Regex(@"ProcessBuilder\s*\.\s*start\s*\(", RegexOptions.Compiled), "ProcessBuilder.start", CapabilityRisk.Critical, 0.95f),
|
||||
|
||||
// Direct Process
|
||||
(new Regex(@"Process\s+\w+\s*=", RegexOptions.Compiled), "Process variable", CapabilityRisk.High, 0.7f),
|
||||
(new Regex(@"\b[A-Za-z_][\w]*\s*\.\s*start\s*\(", RegexOptions.Compiled), "Process.start", CapabilityRisk.Critical, 0.85f),
|
||||
];
|
||||
|
||||
// ========================================
|
||||
@@ -174,7 +171,6 @@ internal static class JavaCapabilityScanner
|
||||
|
||||
// SQL injection patterns - string concatenation with SQL
|
||||
(new Regex(@"""(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|TRUNCATE)\s+.*""\s*\+", RegexOptions.Compiled | RegexOptions.IgnoreCase), "SQL concatenation", CapabilityRisk.Critical, 0.9f),
|
||||
(new Regex(@"String\s+.*=\s*"".*(?:SELECT|INSERT|UPDATE|DELETE).*""\s*\+", RegexOptions.Compiled | RegexOptions.IgnoreCase), "SQL string concat", CapabilityRisk.Critical, 0.85f),
|
||||
|
||||
// JPA/Hibernate
|
||||
(new Regex(@"\.createQuery\s*\(", RegexOptions.Compiled), "EntityManager.createQuery", CapabilityRisk.Medium, 0.8f),
|
||||
@@ -205,7 +201,6 @@ internal static class JavaCapabilityScanner
|
||||
(new Regex(@"ExpressionFactory\s*\.\s*createValueExpression\s*\(", RegexOptions.Compiled), "EL ExpressionFactory", CapabilityRisk.High, 0.8f),
|
||||
|
||||
// SpEL (Spring Expression Language)
|
||||
(new Regex(@"SpelExpressionParser", RegexOptions.Compiled), "SpEL Parser", CapabilityRisk.High, 0.9f),
|
||||
(new Regex(@"new\s+SpelExpressionParser\s*\(", RegexOptions.Compiled), "SpEL Parser", CapabilityRisk.High, 0.95f),
|
||||
(new Regex(@"\.parseExpression\s*\(", RegexOptions.Compiled), "SpEL parseExpression", CapabilityRisk.High, 0.85f),
|
||||
|
||||
@@ -234,7 +229,6 @@ internal static class JavaCapabilityScanner
|
||||
|
||||
// Method/Field invocation
|
||||
(new Regex(@"Method\s*\.\s*invoke\s*\(", RegexOptions.Compiled), "Method.invoke", CapabilityRisk.High, 0.95f),
|
||||
(new Regex(@"\.invoke\s*\([^)]*\)", RegexOptions.Compiled), "invoke", CapabilityRisk.Medium, 0.7f),
|
||||
(new Regex(@"\.getMethod\s*\(", RegexOptions.Compiled), "getMethod", CapabilityRisk.Medium, 0.8f),
|
||||
(new Regex(@"\.getDeclaredMethod\s*\(", RegexOptions.Compiled), "getDeclaredMethod", CapabilityRisk.Medium, 0.85f),
|
||||
(new Regex(@"\.getDeclaredField\s*\(", RegexOptions.Compiled), "getDeclaredField", CapabilityRisk.Medium, 0.8f),
|
||||
@@ -288,7 +282,7 @@ internal static class JavaCapabilityScanner
|
||||
(new Regex(@"new\s+InitialContext\s*\(", RegexOptions.Compiled), "InitialContext", CapabilityRisk.High, 0.9f),
|
||||
(new Regex(@"InitialContext\s*\.\s*lookup\s*\(", RegexOptions.Compiled), "InitialContext.lookup", CapabilityRisk.Critical, 0.95f),
|
||||
(new Regex(@"\.lookup\s*\(\s*[""'][^""']*(?:ldap|rmi|dns|corba):", RegexOptions.Compiled | RegexOptions.IgnoreCase), "JNDI remote lookup", CapabilityRisk.Critical, 1.0f),
|
||||
(new Regex(@"Context\s*\.\s*lookup\s*\(", RegexOptions.Compiled), "Context.lookup", CapabilityRisk.High, 0.85f),
|
||||
//(new Regex(@"Context\s*\.\s*lookup\s*\(", RegexOptions.Compiled), "Context.lookup", CapabilityRisk.High, 0.85f),
|
||||
|
||||
// LDAP
|
||||
(new Regex(@"new\s+InitialLdapContext\s*\(", RegexOptions.Compiled), "InitialLdapContext", CapabilityRisk.High, 0.9f),
|
||||
@@ -303,12 +297,13 @@ internal static class JavaCapabilityScanner
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(content))
|
||||
{
|
||||
yield break;
|
||||
return Enumerable.Empty<JavaCapabilityEvidence>();
|
||||
}
|
||||
|
||||
// Strip comments for more accurate detection
|
||||
var cleanedContent = StripComments(content);
|
||||
var lines = cleanedContent.Split('\n');
|
||||
var evidences = new List<JavaCapabilityEvidence>();
|
||||
|
||||
for (var lineNumber = 0; lineNumber < lines.Length; lineNumber++)
|
||||
{
|
||||
@@ -316,71 +311,48 @@ internal static class JavaCapabilityScanner
|
||||
var lineNum = lineNumber + 1;
|
||||
|
||||
// Exec patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, ExecPatterns, CapabilityKind.Exec))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, ExecPatterns, CapabilityKind.Exec));
|
||||
|
||||
// Filesystem patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, FilesystemPatterns, CapabilityKind.Filesystem))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, FilesystemPatterns, CapabilityKind.Filesystem));
|
||||
|
||||
// Network patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, NetworkPatterns, CapabilityKind.Network))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, NetworkPatterns, CapabilityKind.Network));
|
||||
|
||||
// Environment patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, EnvironmentPatterns, CapabilityKind.Environment))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, EnvironmentPatterns, CapabilityKind.Environment));
|
||||
|
||||
// Serialization patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, SerializationPatterns, CapabilityKind.Serialization))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, SerializationPatterns, CapabilityKind.Serialization));
|
||||
|
||||
// Crypto patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, CryptoPatterns, CapabilityKind.Crypto))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, CryptoPatterns, CapabilityKind.Crypto));
|
||||
|
||||
// Database patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, DatabasePatterns, CapabilityKind.Database))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, DatabasePatterns, CapabilityKind.Database));
|
||||
|
||||
// Dynamic code patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, DynamicCodePatterns, CapabilityKind.DynamicCode))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, DynamicCodePatterns, CapabilityKind.DynamicCode));
|
||||
|
||||
// Reflection patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, ReflectionPatterns, CapabilityKind.Reflection))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, ReflectionPatterns, CapabilityKind.Reflection));
|
||||
|
||||
// Native code patterns
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, NativeCodePatterns, CapabilityKind.NativeCode))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, NativeCodePatterns, CapabilityKind.NativeCode));
|
||||
|
||||
// JNDI patterns (categorized as Other since it's Java-specific)
|
||||
foreach (var evidence in ScanPatterns(line, lineNum, filePath, JndiPatterns, CapabilityKind.Other))
|
||||
{
|
||||
yield return evidence;
|
||||
}
|
||||
evidences.AddRange(ScanPatterns(line, lineNum, filePath, JndiPatterns, CapabilityKind.Other));
|
||||
}
|
||||
|
||||
return evidences
|
||||
.GroupBy(e => e.DeduplicationKey, StringComparer.Ordinal)
|
||||
.Select(g => g
|
||||
.OrderByDescending(e => e.Confidence)
|
||||
.ThenByDescending(e => e.Risk)
|
||||
.First())
|
||||
.OrderBy(e => e.SourceFile, StringComparer.Ordinal)
|
||||
.ThenBy(e => e.SourceLine)
|
||||
.ThenBy(e => e.Pattern, StringComparer.Ordinal);
|
||||
}
|
||||
|
||||
private static IEnumerable<JavaCapabilityEvidence> ScanPatterns(
|
||||
|
||||
@@ -121,6 +121,7 @@ internal static class JavaLockFileCollector
|
||||
riskLevel,
|
||||
null,
|
||||
null,
|
||||
null,
|
||||
null);
|
||||
|
||||
entries[entry.Key] = entry;
|
||||
@@ -231,6 +232,7 @@ internal static class JavaLockFileCollector
|
||||
riskLevel,
|
||||
dep.VersionSource.ToString().ToLowerInvariant(),
|
||||
dep.VersionProperty,
|
||||
null,
|
||||
null);
|
||||
|
||||
entries.TryAdd(entry.Key, entry);
|
||||
@@ -272,6 +274,7 @@ internal static class JavaLockFileCollector
|
||||
|
||||
// Get license info if available
|
||||
var license = effectivePom.Licenses.FirstOrDefault();
|
||||
var optional = dep.Optional ? (bool?)true : null;
|
||||
|
||||
var entry = new JavaLockEntry(
|
||||
dep.GroupId,
|
||||
@@ -286,7 +289,8 @@ internal static class JavaLockFileCollector
|
||||
riskLevel,
|
||||
dep.VersionSource.ToString().ToLowerInvariant(),
|
||||
dep.VersionProperty,
|
||||
license?.SpdxId);
|
||||
license?.SpdxId,
|
||||
optional);
|
||||
|
||||
entries.TryAdd(entry.Key, entry);
|
||||
}
|
||||
@@ -320,6 +324,7 @@ internal static class JavaLockFileCollector
|
||||
var version = dependency.Elements().FirstOrDefault(static e => e.Name.LocalName.Equals("version", StringComparison.OrdinalIgnoreCase))?.Value?.Trim();
|
||||
var scope = dependency.Elements().FirstOrDefault(static e => e.Name.LocalName.Equals("scope", StringComparison.OrdinalIgnoreCase))?.Value?.Trim();
|
||||
var repository = dependency.Elements().FirstOrDefault(static e => e.Name.LocalName.Equals("repository", StringComparison.OrdinalIgnoreCase))?.Value?.Trim();
|
||||
var optionalValue = dependency.Elements().FirstOrDefault(static e => e.Name.LocalName.Equals("optional", StringComparison.OrdinalIgnoreCase))?.Value?.Trim();
|
||||
|
||||
if (string.IsNullOrWhiteSpace(groupId) ||
|
||||
string.IsNullOrWhiteSpace(artifactId) ||
|
||||
@@ -331,6 +336,7 @@ internal static class JavaLockFileCollector
|
||||
|
||||
scope ??= "compile";
|
||||
var riskLevel = JavaScopeClassifier.GetRiskLevel(scope);
|
||||
var isOptional = optionalValue?.Equals("true", StringComparison.OrdinalIgnoreCase) == true ? (bool?)true : null;
|
||||
|
||||
var entry = new JavaLockEntry(
|
||||
groupId,
|
||||
@@ -345,7 +351,8 @@ internal static class JavaLockFileCollector
|
||||
riskLevel,
|
||||
"direct",
|
||||
null,
|
||||
null);
|
||||
null,
|
||||
isOptional);
|
||||
|
||||
entries.TryAdd(entry.Key, entry);
|
||||
}
|
||||
@@ -400,7 +407,8 @@ internal sealed record JavaLockEntry(
|
||||
string? RiskLevel,
|
||||
string? VersionSource,
|
||||
string? VersionProperty,
|
||||
string? License)
|
||||
string? License,
|
||||
bool? Optional)
|
||||
{
|
||||
public string Key => BuildKey(GroupId, ArtifactId, Version);
|
||||
|
||||
|
||||
@@ -237,7 +237,7 @@ internal static partial class ShadedJarDetector
|
||||
if (markers.Contains("gradle-shadow-plugin")) score += 3;
|
||||
|
||||
// Moderate indicators
|
||||
if (markers.Contains("relocated-packages")) score += 1;
|
||||
if (markers.Contains("relocated-packages")) score += 2;
|
||||
|
||||
// Embedded artifact count
|
||||
if (embeddedCount > 5) score += 2;
|
||||
|
||||
@@ -546,6 +546,10 @@ public sealed class JavaLanguageAnalyzer : ILanguageAnalyzer
|
||||
AddMetadata(metadata, "scope.riskLevel", entry.RiskLevel);
|
||||
AddMetadata(metadata, "maven.versionSource", entry.VersionSource);
|
||||
AddMetadata(metadata, "maven.versionProperty", entry.VersionProperty);
|
||||
if (entry.Optional == true)
|
||||
{
|
||||
AddMetadata(metadata, "optional", "true");
|
||||
}
|
||||
AddMetadata(metadata, "license", entry.License);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user