Merge pull request #5 from scanoss/hpsm

added support to enable/disable HPSM

Author: eeisegn

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.2.1] - 2023-08-09
+### Added
+- Added option to enable/disable HPSM processing (`HPSMEnabled`)
+
 ## [1.2.0] - 2023-05-18
 ### Added
 - Added support for password protected TLS Key Files (`Password`)
@@ -56,3 +60,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.0.0]: https://github.com/scanoss/api.go/compare/v0.7.0...v1.0.0
 [1.1.0]: https://github.com/scanoss/api.go/compare/v1.0.0...v1.1.0
 [1.2.0]: https://github.com/scanoss/api.go/compare/v1.1.0...v1.2.0
+[1.2.1]: https://github.com/scanoss/api.go/compare/v1.2.0...v1.2.1

config/app-config-prod.json

@@ -24,7 +24,8 @@
     "WfpGrouping": 3,
     "Workers": 2,
     "TmpFileDelete": true,
-    "KeepFailedWfps": true
+    "KeepFailedWfps": true,
+    "HPSMEnabled": true
   },
   "TLS": {
     "CertFile": "",

pkg/config/server_config.go

@@ -58,6 +58,7 @@ type ServerConfig struct {
 		TmpFileDelete  bool   `env:"SCAN_TMP_DELETE"`      // true/false
 		KeepFailedWfps bool   `env:"SCAN_KEEP_FAILED_WFP"` // true/false
 		ScanningURL    string `env:"SCANOSS_API_URL"`      // URL to present back in API responses - default https://osskb.org/api
+		HPSMEnabled    bool   `env:"SCAN_HPSM_ENABLED"`    // Enable HPSM (High Precision Snippet Matching) or not (default true)
 	}
 	TLS struct {
 		CertFile string `env:"SCAN_TLS_CERT"`   // TLS Certificate
@@ -101,6 +102,7 @@ func setServerConfigDefaults(cfg *ServerConfig) {
 	cfg.Scanning.Workers = 1       // Default to single threaded scanning
 	cfg.Scanning.ScanTimeout = 120 // Default scan engine timeout to 2 minutes
 	cfg.Scanning.WfpGrouping = 3   // Default number of WFPs to group into a single scan request (when Workers > 1)
+	cfg.Scanning.HPSMEnabled = true
 }
 
 // LoadFile loads the specified file and returns its contents in a string array.

pkg/service/scanning_service.go

@@ -31,6 +31,7 @@ import (
 	"go.uber.org/zap"
 )
 
+// getFlags extracts the form values from a request returns the flags, scan type, and sbom data if detected.
 func (s APIService) getFlags(r *http.Request, zs *zap.SugaredLogger) (string, string, string) {
 	flags := strings.TrimSpace(r.FormValue("flags"))   // Check form for Scanning flags
 	scanType := strings.TrimSpace(r.FormValue("type")) // Check form for SBOM type
@@ -198,6 +199,9 @@ func (s APIService) ScanDirect(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "ERROR no WFP file contents (file=...) supplied", http.StatusBadRequest)
 		return
 	}
+	if !s.validateHPSM(contentsTrimmed, zs, w) {
+		return
+	}
 	counters.incRequestAmount("files", int64(wfpCount))
 	zs.Debugf("Need to scan %v files", wfpCount)
 	// Only one worker selected, so send the whole WFP in a single command
@@ -208,6 +212,21 @@ func (s APIService) ScanDirect(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// validateHPSM checks if HPSM is enabled or not. If it's not and HPSM is detected. Fail the scan request.
+func (s APIService) validateHPSM(contents []byte, zs *zap.SugaredLogger, w http.ResponseWriter) bool {
+	if !s.config.Scanning.HPSMEnabled {
+		if s.config.App.Trace {
+			zs.Debugf("Checking if HPSM is present in the submitted WFP...")
+		}
+		if strings.Contains(string(contents), "hpsm=") {
+			zs.Errorf("HPSM (hpsm=...) detected in WFPs and HPSM support is disabled")
+			http.Error(w, "ERROR HPSM detected in WFP. HPSM is disabled", http.StatusForbidden)
+			return false
+		}
+	}
+	return true
+}
+
 // workerScan attempts to process all incoming scanning jobs and dumps the results into the subsequent results channel.
 func (s APIService) workerScan(id string, jobs <-chan string, results chan<- string, flags, sbomType, sbomFile string, zs *zap.SugaredLogger) {
 	if s.config.App.Trace {

pkg/service/scanning_service_test.go

@@ -251,6 +251,13 @@ func TestScanDirectThreaded(t *testing.T) {
 			file:      "./tests/fingers.wfp",
 			want:      http.StatusOK,
 		},
+		{
+			name:      "Scanning - HPSM success",
+			binary:    "../../test-support/scanoss.sh",
+			fieldName: "file",
+			file:      "./tests/fingers-hpsm.wfp",
+			want:      http.StatusOK,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
@@ -295,3 +302,96 @@ func TestScanDirectThreaded(t *testing.T) {
 		})
 	}
 }
+
+func TestScanDirectSingleHPSM(t *testing.T) {
+	err := zlog.NewSugaredDevLogger()
+	if err != nil {
+		t.Fatalf("an error '%s' was not expected when opening a sugared logger", err)
+	}
+	defer zlog.SyncZap()
+	myConfig := setupConfig(t)
+	myConfig.App.Trace = true
+	myConfig.Scanning.ScanDebug = true
+	myConfig.Scanning.HPSMEnabled = false
+	apiService := NewAPIService(myConfig)
+
+	tests := []struct {
+		name      string
+		fieldName string
+		file      string
+		binary    string
+		scanType  string
+		assets    string
+		want      int
+	}{
+		{
+			name:      "Scanning - success 1",
+			binary:    "../../test-support/scanoss.sh",
+			fieldName: "file",
+			file:      "./tests/fingers.wfp",
+			want:      http.StatusOK,
+		},
+		{
+			name:      "Scanning - HPSM fail",
+			binary:    "../../test-support/scanoss.sh",
+			fieldName: "filename",
+			file:      "./tests/fingers-hpsm.wfp",
+			want:      http.StatusForbidden,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.want == http.StatusOK { // flip between Trace for some successful calls
+				if myConfig.App.Trace {
+					myConfig.App.Trace = false
+				} else {
+					myConfig.App.Trace = true
+				}
+			} else {
+				myConfig.App.Trace = true
+			}
+			myConfig.Scanning.ScanBinary = test.binary
+			filePath := test.file
+			fieldName := test.fieldName
+			postBody := new(bytes.Buffer)
+			mw := multipart.NewWriter(postBody)
+			file, err := os.Open(filePath)
+			if err != nil {
+				t.Fatal(err)
+			}
+			writer, err := mw.CreateFormFile(fieldName, filePath)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if _, err = io.Copy(writer, file); err != nil {
+				t.Fatal(err)
+			}
+			if len(test.scanType) > 0 && len(test.assets) > 0 {
+				fmt.Println("Adding asset options: ", test.scanType, test.assets)
+				err = mw.WriteField("type", test.scanType)
+				if err != nil {
+					t.Fatal(err)
+				}
+				err = mw.WriteField("assets", test.assets)
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
+			_ = mw.Close() // close the writer before making the request
+
+			req := httptest.NewRequest(http.MethodPost, "http://localhost/api/api/scan/direct", postBody)
+			w := httptest.NewRecorder()
+			req.Header.Add("Content-Type", mw.FormDataContentType())
+			apiService.ScanDirect(w, req)
+			resp := w.Result()
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("an error was not expected when reading from request: %v", err)
+			}
+			assert.Equal(t, test.want, resp.StatusCode)
+			fmt.Println("Status: ", resp.StatusCode)
+			fmt.Println("Type: ", resp.Header.Get("Content-Type"))
+			fmt.Println("Body: ", string(body))
+		})
+	}
+}

pkg/service/tests/fingers-hpsm.wfp

@@ -0,0 +1,132 @@
+file=37f7cd1e657aa3c30ece35995b4c59e5,3114,scancodedeps-test.py
+hpsm=00d2fffaffc62d1801413bff9bacfffab0442798c29400f883ff9693acffff4400410099ff0400da000a14fed320ffba0085000aff04943ad320ff2c008500d154b5f75fb623a70ae0b0ad6f20ffff8b0a
+6=d5e54c33,b03faabe
+7=23bfe641
+8=8f1a259c
+9=96e0f2da
+10=86238bbc,57fd17f4
+11=3df15217
+13=49b901c6,76c8f7b2,5e608a23
+14=d18cc549,a6a72e20
+16=86ebf3c6
+17=6127c6f8
+18=85d7719c,b0bcdb7d,8b4fa021
+20=b05b10fa,7e399b18,d6e25bf1,45de0420
+21=32c89370,66902c56,8c6aa9e2
+27=0eed4641
+29=3b805377,e3580ff7,6d55823a
+32=5f3a1717
+34=5695ea50,165cff28
+36=5658134e
+38=830584a7
+40=31042d6c
+42=f6c592f5,c520eb6d
+45=8bb31fff,397e1cf4
+50=88c082fe,f24ae766
+54=ba9495af,ee4967e4
+55=00472355
+57=206fa2e1
+58=61d30512
+62=ac19a9d6,f24ae766
+65=1b440eb6
+66=3ea07e21
+68=fb6a4afb
+70=b0540d65
+71=a2a1db62
+73=cc335ef4,aab22912
+74=88cfbe2a
+75=cf2c92f6,c4af7521,ed7201d8,d90e1ea1
+77=6cef3503,9616a9c7,f1da437a
+81=aac97cfe
+file=3d61f8e5b082897cb9b193510284e5b5,2232,winnowing-test.py
+hpsm=00d2fffaffc62d1801413bff9bacfffab0442798c2940083fffcffff44004c00640d990888cdcb83253fcb83ffc90d255d88cdcb83ffff8b0a
+6=d5e54c33,b03faabe
+7=23bfe641
+8=8f1a259c
+9=96e0f2da
+10=86238bbc,57fd17f4
+11=3df15217
+13=49b901c6,76c8f7b2,5e608a23
+14=d18cc549,a6a72e20
+16=86ebf3c6
+17=6127c6f8
+18=85d7719c,b0bcdb7d,8b4fa021
+20=b05b10fa,7e399b18,d6e25bf1,45de0420
+21=32c89370,66902c56,8c6aa9e2
+26=c9fcb62d
+29=45d77b0e
+33=e8fae880
+35=d003b44d
+36=02fd799d
+37=168c5416
+38=7cabb204
+39=8f91aea2
+41=9eabe731
+43=fe04b2d8
+46=81e903d7
+47=1f285981
+50=ab03eaec,9a784fa2,d003b44d,ed34ad2f,168c5416
+51=7cabb204
+52=8f91aea2
+file=17324fe73aaee770c416b91404f1bff7,1861,csvoutput-test.py
+hpsm=00d2fffaffc62d1801413bff9bacfffab0442798c2940083fffcffff44004c002d0d990888cdcb83253fcb83ffff8b0a
+6=d5e54c33,b03faabe
+7=23bfe641
+8=8f1a259c
+9=96e0f2da
+10=86238bbc,57fd17f4
+11=3df15217
+13=49b901c6,76c8f7b2,5e608a23
+14=d18cc549,a6a72e20
+16=86ebf3c6
+17=6127c6f8
+18=85d7719c,b0bcdb7d,8b4fa021
+20=b05b10fa,7e399b18,d6e25bf1,45de0420
+21=32c89370,66902c56,8c6aa9e2
+26=c9fcb62d
+29=45d77b0e
+34=1c403291,5bc0fdd3
+35=d003b44d
+36=02fd799d
+37=168c5416
+38=7cabb204
+39=8f91aea2
+41=9eabe731
+43=fe04b2d8
+48=584afedf
+file=d8fdce51fb00df7bdce9c845b3dfda6a,2919,grpc-client-test.py
+hpsm=00d2fffaffc62d1801413bff9bacfffab0442798c29400f883ff9693ffff4400ab0099ff2400b500b5f75fb623a78e903eff9500ad000a14fed320b5f75fb623a7c8aaa6ff85d2e76f21ff
+6=d5e54c33,b03faabe
+7=23bfe641
+8=8f1a259c
+9=96e0f2da
+10=86238bbc,57fd17f4
+11=3df15217
+13=49b901c6,76c8f7b2,5e608a23
+14=d18cc549,a6a72e20
+16=86ebf3c6
+17=6127c6f8
+18=85d7719c,b0bcdb7d,8b4fa021
+20=b05b10fa,7e399b18,d6e25bf1,45de0420
+21=32c89370,66902c56,8c6aa9e2
+27=0eed4641
+31=3b805377,eb84d927
+35=91b67e77,0009c10f,830584a7
+39=1d66bd98
+43=bc811c12,fb6a4afb
+45=b0540d65
+46=a2a1db62
+48=f9c65f50,412ffca4,3ceb36a7
+51=7386e388
+53=b0a251fd,f1e92f1a,ae7c2c39,c02cbeb1
+56=f72ca1c2
+57=8bb31fff
+58=397e1cf4
+61=61d30512
+62=bf2da6c3,fb6a4afb
+64=b0540d65
+65=a2a1db62
+67=bae84449
+71=178e2453,888ef9e6
+73=afdfb29f
+