-
-
Notifications
You must be signed in to change notification settings - Fork 584
/
GoModulesMetaAnalyzer.java
115 lines (100 loc) · 4.75 KB
/
GoModulesMetaAnalyzer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.tasks.repositories;
import alpine.common.logging.Logger;
import com.github.packageurl.PackageURL;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.util.EntityUtils;
import org.dependencytrack.exception.MetaAnalyzerException;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.RepositoryType;
import org.json.JSONObject;
import java.io.IOException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
/**
* @see <a href="https://golang.org/ref/mod#goproxy-protocol">GOPROXY protocol</a>
* @since 4.3.0
*/
public class GoModulesMetaAnalyzer extends AbstractMetaAnalyzer {
private static final Logger LOGGER = Logger.getLogger(GoModulesMetaAnalyzer.class);
private static final String DEFAULT_BASE_URL = "https://proxy.golang.org";
private static final String API_URL = "/%s/%s/@latest";
GoModulesMetaAnalyzer() {
this.baseUrl = DEFAULT_BASE_URL;
}
@Override
public RepositoryType supportedRepositoryType() {
return RepositoryType.GO_MODULES;
}
@Override
public boolean isApplicable(final Component component) {
return component.getPurl() != null && PackageURL.StandardTypes.GOLANG.equals(component.getPurl().getType());
}
@Override
public MetaModel analyze(final Component component) {
final var meta = new MetaModel(component);
if (component.getPurl() == null || component.getPurl().getNamespace() == null) {
return meta;
}
final String url = String.format(baseUrl + API_URL, caseEncode(component.getPurl().getNamespace()), caseEncode(component.getPurl().getName()));
try (final CloseableHttpResponse response = processHttpRequest(url)) {
if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
if (response.getEntity()!=null) {
String responseString = EntityUtils.toString(response.getEntity());
final var responseJson = new JSONObject(responseString);
meta.setLatestVersion(responseJson.getString("Version"));
// Module versions are prefixed with "v" in the Go ecosystem.
// Because some services (like OSS Index as of July 2021) do not support
// versions with this prefix, components in DT may not be prefixed either.
//
// In order to make the versions comparable still, we strip the "v" prefix as well,
// if it was done for the analyzed component.
if (component.getVersion() != null && !component.getVersion().startsWith("v")) {
meta.setLatestVersion(StringUtils.stripStart(meta.getLatestVersion(), "v"));
}
final String commitTimestamp = responseJson.getString("Time");
if (StringUtils.isNotBlank(commitTimestamp)) { // Time is optional
meta.setPublishedTimestamp(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'").parse(commitTimestamp));
}
}
} else {
handleUnexpectedHttpResponse(LOGGER, url, response.getStatusLine().getStatusCode(), response.getStatusLine().getReasonPhrase(), component);
}
} catch (IOException | ParseException e) {
handleRequestException(LOGGER, e);
} catch (Exception ex) {
throw new MetaAnalyzerException(ex);
}
return meta;
}
/**
* "To avoid ambiguity when serving from case-insensitive file systems, the $module [...] elements are
* case-encoded by replacing every uppercase letter with an exclamation mark followed by the corresponding
* lower-case letter."
*
* @param modulePath The module path to encode
* @return The encoded module path
*/
String caseEncode(final String modulePath) {
return modulePath.replaceAll("([A-Z])", "!$1").toLowerCase();
}
}