Solve bug of best match seleccion using a sbom list. Improve logs to …

…detect memory errors during snippet scanning. Add scan type 'failed. Solve minor bugs
scanoss · Jan 31, 2024 · 8e1b82f · 8e1b82f
1 parent ca30f9d
commit 8e1b82f
Show file tree

Hide file tree

Showing 8 changed files with 206 additions and 180 deletions.
diff --git a/inc/scanoss.h b/inc/scanoss.h
@@ -44,7 +44,7 @@
 #define WFP_REC_LN 18
 
 /* Log files */
-#define SCANOSS_VERSION "5.3.5"
+#define SCANOSS_VERSION "5.3.6"
 #define SCAN_LOG "/tmp/scanoss_scan.log"
 #define MAP_DUMP "/tmp/scanoss_map.dump"
 #define SLOW_QUERY_LOG "/tmp/scanoss_slow_query.log"
@@ -86,7 +86,7 @@ extern const char *vulnerability_sources[];
 extern const char *quality_sources[];
 extern const char *dependency_sources[];
 
-typedef enum {MATCH_NONE, MATCH_FILE, MATCH_SNIPPET, MATCH_BINARY} match_t;
+typedef enum {MATCH_NONE, MATCH_FILE, MATCH_SNIPPET, MATCH_BINARY, MATCH_FAILED} match_t;
 
 typedef struct keywords
 {

diff --git a/src/binary_scan.c b/src/binary_scan.c
@@ -162,6 +162,8 @@ static bool get_all_file_ids(uint8_t *key, uint8_t *subkey, int subkey_ln, uint8
 static void fhash_process(char * hash, component_list_t * comp_list)
 {
 	struct ldb_table oss_fhash = {.db = "oss", .table = "fhashes", .key_ln = 16, .rec_ln = 0, .ts_ln = 2, .tmp = false};
+	if (!ldb_table_exists(oss_fhash.db, oss_fhash.table)) // skip purl if the table is not present
+		return;
 	uint8_t fhash[16]; 
 	ldb_hex_to_bin(hash, 32, fhash);
 	/* Get all file IDs for given wfp */
@@ -304,7 +306,9 @@ int binary_scan(char * input)
 			break;
 		component_list_destroy(result.components);
 		free(result.file);
+		result.file = NULL;
 		free(result.md5);
+		result.md5 = NULL;
 		sensibility++;
 	};
 

diff --git a/src/main.c b/src/main.c
@@ -512,7 +512,6 @@ int main(int argc, char **argv)
 				/* Scan file directly */
 				else 
 				{
-					scanlog("Scanning file %s\n", target);
 					scan_data_t * scan = scan_data_init(target, scan_max_snippets, scan_max_components);
 					ldb_scan(scan);
 				}

diff --git a/src/match.c b/src/match.c
@@ -48,7 +48,7 @@
 #include "dependency.h"
 #include "ignorelist.h"
 
-const char *matchtypes[] = {"none", "file", "snippet", "binary"}; /** describe the availables kinds of match */
+const char *matchtypes[] = {"none", "file", "snippet", "binary", "failed"}; /** describe the availables kinds of match */
 bool match_extensions = false;									  /** global match extension flag */
 
 char *component_hint = NULL;
@@ -107,12 +107,13 @@ static int hint_eval(component_data_t *a, component_data_t *b)
 		/*Check for component hint in purl, select components matching with the hint */
 		if (a->purls[0] && strstr(a->purls[0], component_hint) && !(b->purls[0] && strstr(b->purls[0], component_hint)))
 		{
-			scanlog("Reject component %s by hint: %s\n", b->purls[0], component_hint);
+			scanlog("Reject component %s by purl hint: %s\n", b->purls[0], component_hint);
 			return -1;
 		}
 		if (b->purls[0] && strstr(b->purls[0], component_hint) && !(a->purls[0] && strstr(a->purls[0], component_hint)))
 		{
-			scanlog("Accept component %s by hint: %s\n", b->purls[0], component_hint);
+			scanlog("Accept component %s by purl hint: %s\n", b->purls[0], component_hint);
+			b->identified = 1;
 			return 1;
 		}
 
@@ -125,6 +126,7 @@ static int hint_eval(component_data_t *a, component_data_t *b)
 		if (b->component && strstr(b->component, component_hint) && !(a->component && strstr(a->purls[0], component_hint)))
 		{
 			scanlog("Accept component %s by hint: %s\n",  b->component, component_hint);
+			b->identified = 1;
 			return 1;
 		}
 
@@ -365,7 +367,8 @@ bool load_matches(match_data_t *match)
 			if (!item->entries.le_next || !item->entries.le_next->component)
 				break;
 			/* if the date of two components it's the same */
-			if(!strcmp(item->component->release_date, item->entries.le_next->component->release_date))
+			if(!strcmp(item->component->release_date, item->entries.le_next->component->release_date) && 
+				item->component->identified <= item->entries.le_next->component->identified)
 			{
 				/* If item has no dependencies or depencencies are empty I must check the next one */
 				if(!item->component->dependency_text || strlen(item->component->dependency_text) < 4)
@@ -376,6 +379,7 @@ bool load_matches(match_data_t *match)
 					/*if the next component has dependencies, permute */
 					else if (print_dependencies(item->entries.le_next->component))
 					{
+						scanlog("Best match replaced due to dependencies");
 						struct comp_entry *aux = item->entries.le_next->entries.le_next;
 						LIST_INSERT_HEAD(&match->component_list.headp, item->entries.le_next, entries);
 						item->entries.le_next = aux;
@@ -580,7 +584,7 @@ void match_select_best(scan_data_t *scan)
 	if (!scan->best_match || !scan->best_match->component_list.items || ((engine_flags & DISABLE_REPORT_IDENTIFIED) && scan->best_match->component_list.headp.lh_first->component->identified))
 	{
 		scan->match_type = MATCH_NONE;
-		scanlog("Match without components or declared in sbom");
+		scanlog("Match without components or declared in sbom\n");
 	}
 }
 

diff --git a/src/match_list.c b/src/match_list.c
@@ -80,13 +80,13 @@ bool component_list_add(component_list_t *list, component_data_t *new_comp, bool
 
     if (!list->headp.lh_first)
     {
-        scanlog("first component in list\n");
         struct comp_entry *nn = calloc(1, sizeof(struct comp_entry)); /* Insert at the head. */
         LIST_INSERT_HEAD(&list->headp, nn, entries);
         nn->component = new_comp;
         list->items++;
         list->last_element = nn;
         list->last_element_aux = NULL;
+        scanlog("first component in list: %s\n", list->last_element->component->purls[0]);
         return true;
     }
     else if (val)
@@ -117,7 +117,7 @@ bool component_list_add(component_list_t *list, component_data_t *new_comp, bool
         }
 
         struct comp_entry *nn = calloc(1, sizeof(struct comp_entry)); /* Insert after. */
-        nn->component = new_comp; 
+        nn->component = new_comp;
         LIST_INSERT_BEFORE(np, nn, entries);
 
         if (!np->entries.le_next)

diff --git a/src/report.c b/src/report.c
@@ -161,13 +161,13 @@ void print_server_stats(scan_data_t *scan)
  * @brief Return a match=none result
  * @param scan scan data pointer
  */
-void print_json_nomatch()
+void print_json_nomatch(match_t m)
 {
 	if (quiet) 
 		return;
 	if (engine_flags & DISABLE_BEST_MATCH)
 		printf("{");
-	printf("\"id\": \"none\"");
+	printf("\"id\":\"%s\"",matchtypes[m]);
 	//print_server_stats(scan);
 	if (engine_flags & DISABLE_BEST_MATCH)
 		printf("}");

diff --git a/src/scan.c b/src/scan.c
@@ -55,15 +55,14 @@ char *ignored_assets = NULL;
     */
 scan_data_t * scan_data_init(char *target, int max_snippets, int max_components)
 {
-	scanlog("Scan Init\n");
 	scan_data_t * scan = calloc(1, sizeof(*scan));
 	scan->file_path = strdup(target);
 	scan->file_size = malloc(32);
 	scan->hashes = malloc(MAX_FILE_SIZE);
 	scan->lines  = malloc(MAX_FILE_SIZE);
 	scan->match_type = MATCH_NONE;
-
 	scan->max_components_to_process = max_components;
+	scanlog("Scan Init - path: %s\n", scan->file_path);
 
 	scan->max_snippets_to_process = max_snippets > MAX_MULTIPLE_COMPONENTS ? MAX_MULTIPLE_COMPONENTS : max_snippets; 
 	scan->max_snippets_to_process = scan->max_snippets_to_process == 0 ? 1 : scan->max_snippets_to_process;
@@ -281,7 +280,6 @@ int wfp_scan(char * path, int scan_max_snippets, int scan_max_components)
 			extract_csv(scan->file_size, (char *)rec, 1, LDB_MAX_REC_LN);
 			scan->preload = true;
 			free(rec);
-			scanlog("File md5 to be scanned: %s\n", hexmd5);
 			ldb_hex_to_bin(hexmd5, MD5_LEN * 2, scan->md5);
 			free(hexmd5);
 		}
@@ -358,7 +356,7 @@ void output_matches_json(scan_data_t *scan)
 		match_list_t *best_list = match_select_m_component_best(scan);
 		scanlog("<<<best list items: %d>>>\n", best_list->items);
 		if(!match_list_print(best_list, print_json_match, ","))
-			print_json_nomatch();
+			print_json_nomatch(scan->match_type);
 
 		match_list_destroy(best_list);
 	}
@@ -375,15 +373,15 @@ void output_matches_json(scan_data_t *scan)
 		}
 		if (first)
 		{
-			print_json_nomatch();
+			print_json_nomatch(MATCH_NONE);
 		}
 		scan->printed_succed = !first;
 	}
 	/* prinf no match if the scan was evaluated as none */ // TODO must be unified with the "else" clause
-	else if (scan->match_type == MATCH_NONE)
+	else if (scan->match_type == MATCH_NONE || scan->match_type == MATCH_FAILED)
 	{
 		printf("\"%s\": [{", scan->file_path);
-		print_json_nomatch();
+		print_json_nomatch(scan->match_type);
 	}
 	else if (scan->best_match && scan->best_match->component_list.items)
 	{
@@ -393,7 +391,7 @@ void output_matches_json(scan_data_t *scan)
 	else
 	{
 		printf("\"%s\": [{", scan->file_path);
-		print_json_nomatch();
+		print_json_nomatch(scan->match_type);
 	}
 
 	json_close_file(scan);
@@ -462,6 +460,7 @@ void ldb_scan(scan_data_t * scan)
 		char *tmp_md5_hex = md5_hex(scan->md5);
 		strcpy(scan->source_md5, tmp_md5_hex);
 		free(tmp_md5_hex);
+		scanlog("File MD5: %s\n", scan->source_md5);
 
 	/* Look for full file match or url match in ldb */
 		scan->match_type = ldb_scan_file(scan);