From 0b39b371a388dbc4caacdfe99ec23e449eef8e57 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 28 Apr 2018 23:12:13 -0500 Subject: [PATCH] Added support for scan or bom payloads to be (optionally) compressed archives (zip/gzip/gz). #136 --- .../tasks/BomUploadProcessingTask.java | 4 +- .../tasks/ScanUploadProcessingTask.java | 3 +- .../dependencytrack/util/CompressUtil.java | 54 +++++++++++++++++++ 3 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 src/main/java/org/owasp/dependencytrack/util/CompressUtil.java diff --git a/src/main/java/org/owasp/dependencytrack/tasks/BomUploadProcessingTask.java b/src/main/java/org/owasp/dependencytrack/tasks/BomUploadProcessingTask.java index ca5c2f3c78..c91bf33811 100644 --- a/src/main/java/org/owasp/dependencytrack/tasks/BomUploadProcessingTask.java +++ b/src/main/java/org/owasp/dependencytrack/tasks/BomUploadProcessingTask.java @@ -30,7 +30,7 @@ import org.owasp.dependencytrack.parser.dependencycheck.resolver.ComponentResolver; import org.owasp.dependencytrack.parser.spdx.rdf.SpdxDocumentParser; import org.owasp.dependencytrack.persistence.QueryManager; - +import org.owasp.dependencytrack.util.CompressUtil; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Date; @@ -53,7 +53,7 @@ public class BomUploadProcessingTask implements Subscriber { public void inform(Event e) { if (e instanceof BomUploadEvent) { final BomUploadEvent event = (BomUploadEvent) e; - final byte[] bomBytes = event.getBom(); + final byte[] bomBytes = CompressUtil.optionallyDecompress(event.getBom()); QueryManager qm = new QueryManager(); try { final Project project = qm.getObjectByUuid(Project.class, event.getProjectUuid()); diff --git a/src/main/java/org/owasp/dependencytrack/tasks/ScanUploadProcessingTask.java b/src/main/java/org/owasp/dependencytrack/tasks/ScanUploadProcessingTask.java index c0582fb516..66e67f0ad6 100644 --- a/src/main/java/org/owasp/dependencytrack/tasks/ScanUploadProcessingTask.java +++ b/src/main/java/org/owasp/dependencytrack/tasks/ScanUploadProcessingTask.java @@ -40,6 +40,7 @@ import org.owasp.dependencytrack.parser.dependencycheck.resolver.LicenseResolver; import org.owasp.dependencytrack.parser.dependencycheck.resolver.PackageURLResolver; import org.owasp.dependencytrack.persistence.QueryManager; +import org.owasp.dependencytrack.util.CompressUtil; import java.io.File; import java.util.ArrayList; import java.util.Date; @@ -68,7 +69,7 @@ public void inform(Event e) { final ScanUploadEvent event = (ScanUploadEvent) e; final File file = event.getFile(); - final byte[] scanData = event.getScan(); + final byte[] scanData = CompressUtil.optionallyDecompress(event.getScan()); try { final Analysis analysis = (file != null) ? new DependencyCheckParser().parse(file) diff --git a/src/main/java/org/owasp/dependencytrack/util/CompressUtil.java b/src/main/java/org/owasp/dependencytrack/util/CompressUtil.java new file mode 100644 index 0000000000..fb909d5746 --- /dev/null +++ b/src/main/java/org/owasp/dependencytrack/util/CompressUtil.java @@ -0,0 +1,54 @@ +/* + * This file is part of Dependency-Track. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) Steve Springett. All Rights Reserved. + */ +package org.owasp.dependencytrack.util; + +import org.apache.commons.compress.archivers.ArchiveEntry; +import org.apache.commons.compress.archivers.ArchiveException; +import org.apache.commons.compress.archivers.ArchiveInputStream; +import org.apache.commons.compress.archivers.ArchiveStreamFactory; +import org.apache.commons.io.IOUtils; +import java.io.ByteArrayInputStream; +import java.io.IOException; + +public final class CompressUtil { + + private CompressUtil() { } + + /** + * Helper method that attempts to automatically identify an archive and its type, + * extract the contents as a byte array. If this fails, it will gracefully return + * the original input byte array without exception. If the input was not an archive + * or compressed, it will return the original byte array. + * @param input the + * @return a byte array + */ + public static byte[] optionallyDecompress(byte[] input) { + try { + ByteArrayInputStream bis = new ByteArrayInputStream(input); + ArchiveInputStream ais = new ArchiveStreamFactory().createArchiveInputStream(bis); + ArchiveEntry entry = ais.getNextEntry(); + if (ais.canReadEntryData(entry)) { + return IOUtils.toByteArray(ais); + } + } catch (ArchiveException | IOException e) { + // throw it away and return the original byte array + } + return input; + } + +}