5.4.9 (#82)

* Enhance SBOM data ingestion and processing workflow. * Adjust component matching sensitivity threshold. * Refine best match resolution logic for tied results. * Optimize release date comparison logic in component selection. * Enhance version detection and release date search algorithms. * Implement third-party dependency path filtering. * Expand the path exclusion list for filtering. * Strengthen source code origin detection mechanisms. * Relocate URL statistics section within the report structure. * Fix memory leak in the application. --------- Co-authored-by: core software devel <[email protected]>
scanoss · Dec 27, 2024 · 0e337db · 0e337db
1 parent c69ab80
commit 0e337db
Show file tree

Hide file tree

Showing 19 changed files with 381 additions and 272 deletions.
diff --git a/inc/component.h b/inc/component.h
@@ -29,6 +29,7 @@ typedef struct component_data_t
 	char *purls[MAX_PURLS]; /* PURLs array */
 	uint8_t *purls_md5[MAX_PURLS]; /*PURLs md5*/
 	int vulnerabilities; /*component vulnerabilities number */
+	int dependencies;
 	int identified; /* was this component indentified in a provided SBOM: 0 = pending, 1 = identified without version, 2= identified with version */
 	int path_ln; /* component path lenght: number of subdirectories in the path*/
 	uint8_t url_md5[MD5_LEN]; /*url md5*/
@@ -44,6 +45,7 @@ typedef struct component_data_t
 	char * file_path_ref;
 	int path_rank;
 	int url_stats[5];
+	int health_stats[3];
 } component_data_t;
 
 component_data_t * component_init(void);
@@ -53,5 +55,5 @@ bool component_date_comparation(component_data_t * a, component_data_t * b);
 component_data_t * component_data_copy(component_data_t * in);
 int asset_declared(component_data_t * comp);
 void component_item_free(component_item * comp_item);
-
+void fill_component_path(component_data_t *component, char *file_path);
 #endif
diff --git a/inc/scanoss.h b/inc/scanoss.h
@@ -31,7 +31,7 @@
 #include "limits.h"
 
 #define MAX_FILE_PATH 1024
-#define FETCH_MAX_FILES 12000
+#define FETCH_MAX_FILES 20000
 #define MIN_FILE_SIZE 256 // files below this size will be ignored
 #define CRC_LIST_LEN 1024 // list of crc checksums to avoid metadata duplicates
 #define SNIPPET_LINE_TOLERANCE 10
@@ -40,7 +40,7 @@
 #define WFP_REC_LN 18
 
 /* Log files */
-#define SCANOSS_VERSION "5.4.8"
+#define SCANOSS_VERSION "5.4.9"
 #define SCAN_LOG "/tmp/scanoss_scan.log"
 #define MAP_DUMP "/tmp/scanoss_map.dump"
 #define SLOW_QUERY_LOG "/tmp/scanoss_slow_query.log"

diff --git a/inc/url.h b/inc/url.h
@@ -19,4 +19,9 @@ bool get_purl_first_release(uint8_t *key, uint8_t *subkey, int subkey_ln, uint8_
 
 void purl_release_date(char *purl, char *date);
 
+bool purl_vendor_component_check(component_data_t * component);
+
+int purl_source_check(component_data_t * component);
+
+
 #endif
diff --git a/inc/util.h b/inc/util.h
@@ -62,4 +62,7 @@ char * str_cat_realloc(char **a, char * b);
  void flip_slashes(char *data);
 
 void free_and_null(void * pr);
+
+bool path_is_third_party(const char* path);
+
 #endif
diff --git a/inc/versions.h b/inc/versions.h
@@ -7,12 +7,15 @@ typedef struct release_version
 {
 	char version[MAX_FIELD_LN];
 	char date[MAX_FIELD_LN];
-	uint8_t url_id[MAX_FIELD_LN];
 } release_version;
 
 void normalise_version(char *version, char *component);
 void clean_versions(component_data_t *component);
 void add_versions(component_data_t *component, file_recordset *files, uint32_t records);
 void get_purl_version(release_version *release, char *purl, uint8_t *file_id);
 char * version_cleanup(char *  version, char * component);
+void purl_latest_version_add(component_data_t * component);
+void purl_latest_version_search(component_data_t * component);
+void purl_latest_version_free();
+
 #endif
diff --git a/inc/vulnerability.h b/inc/vulnerability.h
@@ -3,6 +3,6 @@
 
 #include "scanoss.h"
 
-void print_vulnerabilities(component_data_t * component);
+int print_vulnerabilities(component_data_t * component);
 
 #endif
diff --git a/src/binary_scan.c b/src/binary_scan.c
@@ -111,8 +111,6 @@ static bool add_purl_from_urlid(uint8_t *key, uint8_t *subkey, int subkey_ln, ui
 
 	free(url_rec);
 	free(decrypted);
-
-	//scanlog("#%d File %s\n", iteration, files[iteration].path);
 	return false;
 }
 

diff --git a/src/component.c b/src/component.c
@@ -84,7 +84,10 @@ component_data_t *component_data_copy(component_data_t *in)
     out->vendor = strdup(in->vendor);
     out->version = strdup(in->version);
     out->release_date = strdup(in->release_date);
-    out->file = strdup(in->file);
+
+	if (in->file)
+   		out->file = strdup(in->file);
+
     out->file_md5_ref = in->file_md5_ref;
     out->identified = in->identified;
 	if(in->latest_release_date)
@@ -203,6 +206,13 @@ static char * look_for_version(char *in)
 	return in;
 }
 
+void fill_component_path(component_data_t *component, char *file_path)
+{
+	component->file = strdup(look_for_version(file_path));
+	component->path_ln = strlen(file_path);
+	flip_slashes(component->file);
+}
+
 /**
  * @brief Fill the match structure
  * @param url_key md5 of the match url
@@ -229,9 +239,7 @@ bool fill_component(component_data_t *component, uint8_t *url_key, char *file_pa
 		memcpy(component->url_md5, url_key, MD5_LEN);
 		if (file_path)
 		{
-			component->file = strdup(look_for_version(file_path));
-			component->path_ln = strlen(file_path);
-			flip_slashes(component->file);
+			fill_component_path(component, file_path);
 		}
 	}
 
@@ -273,10 +281,12 @@ bool fill_component(component_data_t *component, uint8_t *url_key, char *file_pa
 	component->license = strdup(license);
 	component->url = strdup(url);
 	component->latest_version = strdup(latest_version);
-
+	component->latest_release_date = strdup(component->release_date);
 	if (*purl)
 	{
 		component->purls[0] = strdup(purl);
+		component->purls_md5[0] = malloc(MD5_LEN);
+		MD5((uint8_t *)component->purls[0], strlen(component->purls[0]), component->purls_md5[0]);
 	}
 	component->age = -1;
 	return true;
@@ -327,3 +337,18 @@ void component_item_free(component_item *comp_item)
 	free(comp_item->purl);
 	free(comp_item->version);
 }
+
+void component_purl_md5(component_data_t * component)
+{
+	if (component->purls_md5[0])
+		return;
+
+	for (int i = 0; i < MAX_PURLS; i++)	
+	{
+		if (component->purls[i] && !component->purls_md5[i])
+		{
+			component->purls_md5[i] = malloc(oss_purl.key_ln);
+			MD5((uint8_t *)component->purls[i], strlen(component->purls[i]), component->purls_md5[i]);
+		}
+	}
+}
diff --git a/src/dependency.c b/src/dependency.c
@@ -58,8 +58,6 @@ bool print_dependencies_item(uint8_t *key, uint8_t *subkey, int subkey_ln, uint8
 {
 	char *CSV = decrypt_data(data, datalen, oss_dependency, key, subkey);
 	component_data_t * comp = (component_data_t *) ptr;
-	scanlog("Dependency: %s\n", CSV);
-
 	char *source = calloc(MAX_JSON_VALUE_LEN, 1);
 	char *vendor = calloc(MAX_JSON_VALUE_LEN, 1);
 	char *component = calloc(MAX_JSON_VALUE_LEN, 1);
@@ -161,6 +159,7 @@ int print_dependencies(component_data_t * comp)
 
 	free(comp->dependency_text);	
 	comp->dependency_text = aux;
+	comp->dependencies = records;
 	return records;
 }
 
diff --git a/src/file.c b/src/file.c
@@ -210,8 +210,6 @@ bool collect_all_files(uint8_t *key, uint8_t *subkey, int subkey_ln, uint8_t *ra
 	free(decrypted);
 
 	files[iteration].path_ln = dir_count(files[iteration].path);
-
-	//scanlog("#%d File %s\n", iteration, files[iteration].path);
 	return false;
 }
 

diff --git a/src/health.c b/src/health.c
@@ -80,6 +80,10 @@ bool print_health_item(uint8_t *key, uint8_t *subkey, int subkey_ln, uint8_t *da
     extract_csv(forks_count, decrypted, 6, MAX_FIELD_LN);
 	extract_csv(provenance, decrypted, 7, MAX_FIELD_LN);
 
+	match->health_stats[0] = atoi(forks_count);
+	match->health_stats[1] = atoi(issues_count);
+	match->health_stats[2] = atoi(watchers_count);
+
    	char result[MAX_FIELD_LN * 7] = "\0";
 
 	int len = 0;