Added new Nuget packages.config analyzer (Nugetconf)

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -208,6 +208,10 @@ public class Check extends Update {
      * Whether or not the .NET Nuspec Analyzer is enabled.
      */
     private Boolean nuspecAnalyzerEnabled;
+    /**
+     * Whether or not the .NET Nuget packages.config file Analyzer is enabled.
+     */
+    private Boolean nugetconfAnalyzerEnabled;
     /**
      * Whether or not the PHP Composer Analyzer is enabled.
      */
@@ -658,6 +662,16 @@ public Boolean isNuspecAnalyzerEnabled() {
         return nuspecAnalyzerEnabled;
     }
 
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public Boolean isNugetconfAnalyzerEnabled() {
+        return nugetconfAnalyzerEnabled;
+    }
+
+
     /**
      * Sets whether or not the analyzer is enabled.
      *
@@ -667,6 +681,15 @@ public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
     }
 
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param nugetconfAnalyzerEnabled the value of the new setting
+     */
+    public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) {
+        this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled;
+    }
+
     /**
      * Get the value of composerAnalyzerEnabled.
      *
@@ -1337,6 +1360,7 @@ protected void populateSettings() throws BuildException {
         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters);
 
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);

ant/src/site/markdown/configuration.md

@@ -92,6 +92,7 @@ retireJsAnalyzerEnabled             | Sets whether the [experimental](../analyze
 retirejsFilterNonVulnerable         | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                 | false
 retirejsFilter                      | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content. |  
 nuspecAnalyzerEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
+nugetconfAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used.                                                                                                           | true
 cocoapodsAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
 bundleAuditAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used.             | true
 bundleAuditPath                     | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.  |  

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -461,6 +461,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
         settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
         settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
         settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, !cli.isNugetconfDisabled());
         settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
         settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
         settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());

cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -400,6 +400,8 @@ private void addAdvancedOptions(final Options options) {
                 .desc("Disable the Archive Analyzer.").build();
         final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC)
                 .desc("Disable the Nuspec Analyzer.").build();
+        final Option disableNugetconfAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUGETCONF)
+        .desc("Disable the Nuget packages.config Analyzer.").build();
         final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY)
                 .desc("Disable the .NET Assembly Analyzer.").build();
         final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST)
@@ -460,6 +462,7 @@ private void addAdvancedOptions(final Options options) {
                 .addOption(disableComposerAnalyzer)
                 .addOption(disableOpenSSLAnalyzer)
                 .addOption(disableNuspecAnalyzer)
+                .addOption(disableNugetconfAnalyzer)
                 .addOption(disableCentralAnalyzer)
                 .addOption(disableNexusAnalyzer)
                 .addOption(cocoapodsAnalyzerEnabled)
@@ -622,6 +625,17 @@ public boolean isNuspecDisabled() {
         return hasDisableOption(ARGUMENT.DISABLE_NUSPEC, Settings.KEYS.ANALYZER_NUSPEC_ENABLED);
     }
 
+    /**
+     * Returns true if the disableNugetconf command line argument was specified.
+     *
+     * @return true if the disableNugetconf command line argument was specified;
+     * otherwise false
+     */
+    public boolean isNugetconfDisabled() {
+        return hasDisableOption(ARGUMENT.DISABLE_NUGETCONF, Settings.KEYS.ANALYZER_NUGETCONF_ENABLED);
+    }
+
+
     /**
      * Returns true if the disableAssembly command line argument was specified.
      *
@@ -1515,6 +1529,10 @@ public static class ARGUMENT {
          * Disables the Nuspec Analyzer.
          */
         public static final String DISABLE_NUSPEC = "disableNuspec";
+        /**
+         * Disables the Nuget packages.config Analyzer.
+         */
+        public static final String DISABLE_NUGETCONF = "disableNugetconf";
         /**
          * Disables the Central Analyzer.
          */

cli/src/site/markdown/arguments.md

@@ -62,6 +62,7 @@ Short  | Argument Name        | Paramete
        | \-\-nexus              | \<url\>         | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
        | \-\-nexusUsesProxy     | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.        | true
        | \-\-disableNuspec      |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
+       | \-\-disableNugetconf   |                 | Sets whether or not the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used.        | false
        | \-\-disableAssembly    |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
        | \-\-mono               | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
        | \-\-bundleAudit        |                 | The path to the bundle-audit executable. | &nbsp;

cli/src/test/resources/sample.properties

@@ -12,6 +12,7 @@ analyzer.autoconf.enabled=true
 analyzer.cmake.enabled=true
 analyzer.assembly.enabled=true
 analyzer.nuspec.enabled=true
+analyzer.nugetconf.enabled=true
 analyzer.openssl.enabled=true
 analyzer.central.enabled=true
 analyzer.nexus.enabled=false

cli/src/test/resources/sample2.properties

@@ -12,6 +12,7 @@ analyzer.autoconf.enabled=false
 analyzer.cmake.enabled=false
 analyzer.assembly.enabled=false
 analyzer.nuspec.enabled=false
+analyzer.nugetconf.enabled=false
 analyzer.openssl.enabled=false
 analyzer.central.enabled=false
 analyzer.nexus.enabled=true

core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java

@@ -0,0 +1,194 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nuget.NugetPackageReference;
+import org.owasp.dependencycheck.data.nuget.NugetconfParseException;
+import org.owasp.dependencycheck.data.nuget.NugetconfParser;
+import org.owasp.dependencycheck.data.nuget.XPathNugetconfParser;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Checksum;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.FileFilter;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.util.List;
+
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.exception.InitializationException;
+
+/**
+ * Analyzer which parses a Nuget packages.config file to gather module information.
+ *
+ * @author doshyt
+ */
+
+@Experimental
+@ThreadSafe
+public class NugetconfAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
+     */
+    public static final String DEPENDENCY_ECOSYSTEM = "NuGet";
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(NugetconfAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Nugetconf Analyzer";
+
+    /**
+     * The phase in which the analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The file filter used to determine which files this analyzer supports.
+     */
+    public static final String FILE_NAME = "packages.config";
+
+    /**
+     * The file filter used to determine which files this analyzer supports.
+     */
+    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(FILE_NAME).build();
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException if there's an error during initialization
+     */
+    @Override
+    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
+        //nothing to initialize
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NUGETCONF_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which this analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.debug("Checking packages.config file {}", dependency);
+        try {
+            final NugetconfParser parser = new XPathNugetconfParser();
+            List<NugetPackageReference> packages = null;
+            try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) {
+                packages = parser.parse(fis);
+            } catch (NugetconfParseException | FileNotFoundException ex) {
+                throw new AnalysisException(ex);
+            }
+
+            for (NugetPackageReference np : packages) {
+                final Dependency child = new Dependency(dependency.getActualFile(), true);
+
+                final String id = np.getId();
+                final String version = np.getVersion();
+
+                child.setEcosystem(DEPENDENCY_ECOSYSTEM);
+                child.setName(id);
+                child.setVersion(version);
+                child.setPackagePath(String.format("%s:%s", id, version));
+                child.setSha1sum(Checksum.getSHA1Checksum(String.format("%s:%s", id, version)));
+                child.setSha256sum(Checksum.getSHA256Checksum(String.format("%s:%s", id, version)));
+                child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version)));
+                child.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST);
+                child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST);
+
+                // handle package names the same way as the MSBuild analyzer
+                if (id.indexOf(".") > 0) {
+                    final String[] parts = id.split("\\.");
+
+                    // example: Microsoft.EntityFrameworkCore
+                    child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[0], Confidence.MEDIUM);
+                    child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", parts[1], Confidence.MEDIUM);
+
+                    if (parts.length > 2) {
+                        final String rest = id.substring(id.indexOf(".") + 1);
+                        child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", rest, Confidence.MEDIUM);
+                    }
+                } else {
+                    // example: jQuery
+                    child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", id, Confidence.LOW);
+                }
+
+                engine.addDependency(child);
+            }
+        } catch (Throwable e) {
+            throw new AnalysisException(e);
+        }
+    }
+}