2013-10-31 13:25:39 +01:00
|
|
|
#!/usr/bin/env python2
|
2012-01-03 16:37:29 +01:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
#
|
|
|
|
|
# scanner.py - part of the FDroid server tools
|
2013-10-31 16:37:39 +01:00
|
|
|
# Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
|
2012-01-03 16:37:29 +01:00
|
|
|
#
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU Affero General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
import os
|
2015-08-29 04:20:39 +02:00
|
|
|
import re
|
2012-01-04 22:37:11 +01:00
|
|
|
import traceback
|
2015-09-04 11:37:05 +02:00
|
|
|
from argparse import ArgumentParser
|
2014-01-27 16:56:55 +01:00
|
|
|
import logging
|
|
|
|
|
|
2014-05-02 04:36:12 +02:00
|
|
|
import common
|
|
|
|
|
import metadata
|
2014-07-02 15:30:05 +02:00
|
|
|
from common import BuildException, VCSException
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-11-01 12:10:57 +01:00
|
|
|
config = None
|
|
|
|
|
options = None
|
2013-10-31 16:37:39 +01:00
|
|
|
|
2014-05-02 05:39:33 +02:00
|
|
|
|
2015-11-28 17:55:27 +01:00
|
|
|
def get_gradle_compile_commands(build):
|
2015-09-18 17:22:34 +02:00
|
|
|
compileCommands = ['compile', 'releaseCompile']
|
2015-11-28 17:55:27 +01:00
|
|
|
if build.gradle and build.gradle != ['yes']:
|
|
|
|
|
compileCommands += [flavor + 'Compile' for flavor in build.gradle]
|
|
|
|
|
compileCommands += [flavor + 'ReleaseCompile' for flavor in build.gradle]
|
2015-09-18 17:22:34 +02:00
|
|
|
|
|
|
|
|
return [re.compile(r'\s*' + c, re.IGNORECASE) for c in compileCommands]
|
|
|
|
|
|
|
|
|
|
|
2015-08-29 04:20:39 +02:00
|
|
|
# Scan the source code in the given directory (and all subdirectories)
|
|
|
|
|
# and return the number of fatal problems encountered
|
2015-11-28 17:55:27 +01:00
|
|
|
def scan_source(build_dir, root_dir, build):
|
2015-08-29 04:20:39 +02:00
|
|
|
|
|
|
|
|
count = 0
|
|
|
|
|
|
|
|
|
|
# Common known non-free blobs (always lower case):
|
2015-09-17 02:13:54 +02:00
|
|
|
usual_suspects = {
|
|
|
|
|
exp: re.compile(r'.*' + exp, re.IGNORECASE) for exp in [
|
|
|
|
|
r'flurryagent',
|
|
|
|
|
r'paypal.*mpl',
|
|
|
|
|
r'google.*analytics',
|
|
|
|
|
r'admob.*sdk.*android',
|
|
|
|
|
r'google.*ad.*view',
|
|
|
|
|
r'google.*admob',
|
|
|
|
|
r'google.*play.*services',
|
|
|
|
|
r'crittercism',
|
|
|
|
|
r'heyzap',
|
|
|
|
|
r'jpct.*ae',
|
|
|
|
|
r'youtube.*android.*player.*api',
|
|
|
|
|
r'bugsense',
|
|
|
|
|
r'crashlytics',
|
|
|
|
|
r'ouya.*sdk',
|
|
|
|
|
r'libspen23',
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def suspects_found(s):
|
|
|
|
|
for n, r in usual_suspects.iteritems():
|
|
|
|
|
if r.match(s):
|
|
|
|
|
yield n
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-10-07 18:14:11 +02:00
|
|
|
gradle_mavenrepo = re.compile(r'maven *{ *(url)? *[\'"]?([^ \'"]*)[\'"]?')
|
|
|
|
|
|
2015-10-22 12:22:46 +02:00
|
|
|
allowed_repos = [re.compile(r'^https?://' + re.escape(repo) + r'/*') for repo in [
|
|
|
|
|
'repo1.maven.org/maven2', # mavenCentral()
|
|
|
|
|
'jcenter.bintray.com', # jcenter()
|
|
|
|
|
'jitpack.io',
|
2015-10-31 09:59:38 +01:00
|
|
|
'repo.maven.apache.org/maven2',
|
2015-10-22 12:22:46 +02:00
|
|
|
'oss.sonatype.org/content/repositories/snapshots',
|
|
|
|
|
'oss.sonatype.org/content/repositories/releases',
|
2015-10-22 12:23:57 +02:00
|
|
|
'oss.sonatype.org/content/groups/public',
|
2015-10-07 18:14:11 +02:00
|
|
|
]
|
|
|
|
|
]
|
|
|
|
|
|
2015-11-28 17:55:27 +01:00
|
|
|
scanignore = common.getpaths_map(build_dir, build.scanignore)
|
|
|
|
|
scandelete = common.getpaths_map(build_dir, build.scandelete)
|
2015-08-29 04:20:39 +02:00
|
|
|
|
|
|
|
|
scanignore_worked = set()
|
|
|
|
|
scandelete_worked = set()
|
|
|
|
|
|
|
|
|
|
def toignore(fd):
|
2015-10-04 02:00:22 +02:00
|
|
|
for k, paths in scanignore.iteritems():
|
|
|
|
|
for p in paths:
|
|
|
|
|
if fd.startswith(p):
|
|
|
|
|
scanignore_worked.add(k)
|
|
|
|
|
return True
|
2015-08-29 04:20:39 +02:00
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def todelete(fd):
|
2015-10-04 02:00:22 +02:00
|
|
|
for k, paths in scandelete.iteritems():
|
|
|
|
|
for p in paths:
|
|
|
|
|
if fd.startswith(p):
|
|
|
|
|
scandelete_worked.add(k)
|
|
|
|
|
return True
|
2015-08-29 04:20:39 +02:00
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def ignoreproblem(what, fd, fp):
|
|
|
|
|
logging.info('Ignoring %s at %s' % (what, fd))
|
|
|
|
|
return 0
|
|
|
|
|
|
|
|
|
|
def removeproblem(what, fd, fp):
|
|
|
|
|
logging.info('Removing %s at %s' % (what, fd))
|
|
|
|
|
os.remove(fp)
|
|
|
|
|
return 0
|
|
|
|
|
|
|
|
|
|
def warnproblem(what, fd):
|
2015-11-12 20:02:40 +01:00
|
|
|
if toignore(fd):
|
|
|
|
|
return
|
2015-08-29 04:20:39 +02:00
|
|
|
logging.warn('Found %s at %s' % (what, fd))
|
|
|
|
|
|
|
|
|
|
def handleproblem(what, fd, fp):
|
|
|
|
|
if toignore(fd):
|
|
|
|
|
return ignoreproblem(what, fd, fp)
|
|
|
|
|
if todelete(fd):
|
|
|
|
|
return removeproblem(what, fd, fp)
|
|
|
|
|
logging.error('Found %s at %s' % (what, fd))
|
|
|
|
|
return 1
|
|
|
|
|
|
2015-09-14 07:11:53 +02:00
|
|
|
def is_executable(path):
|
|
|
|
|
return os.path.exists(path) and os.access(path, os.X_OK)
|
|
|
|
|
|
|
|
|
|
textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
|
|
|
|
|
|
|
|
|
|
def is_binary(path):
|
|
|
|
|
d = None
|
|
|
|
|
with open(path, 'rb') as f:
|
|
|
|
|
d = f.read(1024)
|
|
|
|
|
return bool(d.translate(None, textchars))
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-11-10 21:59:54 +01:00
|
|
|
# False positives patterns for files that are binary and executable.
|
|
|
|
|
safe_paths = [re.compile(r) for r in [
|
|
|
|
|
r".*/drawable[^/]*/.*\.png$", # png drawables
|
|
|
|
|
r".*/mipmap[^/]*/.*\.png$", # png mipmaps
|
|
|
|
|
]
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def safe_path(path):
|
|
|
|
|
for sp in safe_paths:
|
|
|
|
|
if sp.match(path):
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
2015-11-28 17:55:27 +01:00
|
|
|
gradle_compile_commands = get_gradle_compile_commands(build)
|
2015-09-18 17:22:34 +02:00
|
|
|
|
|
|
|
|
def is_used_by_gradle(line):
|
|
|
|
|
return any(command.match(line) for command in gradle_compile_commands)
|
|
|
|
|
|
2015-08-29 04:20:39 +02:00
|
|
|
# Iterate through all files in the source code
|
|
|
|
|
for r, d, f in os.walk(build_dir, topdown=True):
|
|
|
|
|
|
|
|
|
|
# It's topdown, so checking the basename is enough
|
|
|
|
|
for ignoredir in ('.hg', '.git', '.svn', '.bzr'):
|
|
|
|
|
if ignoredir in d:
|
|
|
|
|
d.remove(ignoredir)
|
|
|
|
|
|
|
|
|
|
for curfile in f:
|
|
|
|
|
|
2015-11-10 21:49:46 +01:00
|
|
|
if curfile in ['.DS_Store']:
|
|
|
|
|
continue
|
|
|
|
|
|
2015-08-29 04:20:39 +02:00
|
|
|
# Path (relative) to the file
|
|
|
|
|
fp = os.path.join(r, curfile)
|
|
|
|
|
|
2015-09-22 22:03:42 +02:00
|
|
|
if os.path.islink(fp):
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
fd = fp[len(build_dir) + 1:]
|
2015-10-04 18:01:32 +02:00
|
|
|
_, ext = common.get_extension(fd)
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-09-14 07:11:53 +02:00
|
|
|
if ext == 'so':
|
2015-08-29 04:20:39 +02:00
|
|
|
count += handleproblem('shared library', fd, fp)
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'a':
|
2015-08-29 04:20:39 +02:00
|
|
|
count += handleproblem('static library', fd, fp)
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'class':
|
2015-08-29 04:20:39 +02:00
|
|
|
count += handleproblem('Java compiled class', fd, fp)
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'apk':
|
|
|
|
|
removeproblem('APK file', fd, fp)
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'jar':
|
2015-09-17 02:13:54 +02:00
|
|
|
for name in suspects_found(curfile):
|
|
|
|
|
count += handleproblem('usual supect \'%s\'' % name, fd, fp)
|
|
|
|
|
warnproblem('JAR file', fd)
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'java':
|
2015-08-29 04:20:39 +02:00
|
|
|
if not os.path.isfile(fp):
|
|
|
|
|
continue
|
|
|
|
|
for line in file(fp):
|
|
|
|
|
if 'DexClassLoader' in line:
|
|
|
|
|
count += handleproblem('DexClassLoader', fd, fp)
|
|
|
|
|
break
|
|
|
|
|
|
2015-09-14 07:11:53 +02:00
|
|
|
elif ext == 'gradle':
|
2015-08-29 04:20:39 +02:00
|
|
|
if not os.path.isfile(fp):
|
|
|
|
|
continue
|
2015-10-07 18:14:11 +02:00
|
|
|
with open(fp, 'r') as f:
|
|
|
|
|
lines = f.readlines()
|
|
|
|
|
for i, line in enumerate(lines):
|
2015-09-18 17:22:34 +02:00
|
|
|
if is_used_by_gradle(line):
|
|
|
|
|
for name in suspects_found(line):
|
2015-10-07 18:14:11 +02:00
|
|
|
count += handleproblem('usual supect \'%s\' at line %d' % (name, i+1), fd, fp)
|
2015-10-08 12:16:45 +02:00
|
|
|
noncomment_lines = [l for l in lines if not common.gradle_comment.match(l)]
|
|
|
|
|
joined = re.sub(r'[\n\r\s]+', ' ', ' '.join(noncomment_lines))
|
2015-10-07 18:14:11 +02:00
|
|
|
for m in gradle_mavenrepo.finditer(joined):
|
|
|
|
|
url = m.group(2)
|
|
|
|
|
if not any(r.match(url) for r in allowed_repos):
|
|
|
|
|
count += handleproblem('unknown maven repo \'%s\'' % url, fd, fp)
|
2015-08-29 04:20:39 +02:00
|
|
|
|
2015-09-17 02:20:22 +02:00
|
|
|
elif ext in ['', 'bin', 'out', 'exe']:
|
|
|
|
|
if is_binary(fp):
|
|
|
|
|
count += handleproblem('binary', fd, fp)
|
|
|
|
|
|
|
|
|
|
elif is_executable(fp):
|
2015-11-10 21:59:54 +01:00
|
|
|
if is_binary(fp) and not safe_path(fd):
|
2015-09-17 02:20:22 +02:00
|
|
|
warnproblem('possible binary', fd)
|
2015-09-14 07:11:53 +02:00
|
|
|
|
2015-08-29 04:20:39 +02:00
|
|
|
for p in scanignore:
|
|
|
|
|
if p not in scanignore_worked:
|
|
|
|
|
logging.error('Unused scanignore path: %s' % p)
|
|
|
|
|
count += 1
|
|
|
|
|
|
|
|
|
|
for p in scandelete:
|
|
|
|
|
if p not in scandelete_worked:
|
|
|
|
|
logging.error('Unused scandelete path: %s' % p)
|
|
|
|
|
count += 1
|
|
|
|
|
|
|
|
|
|
return count
|
|
|
|
|
|
|
|
|
|
|
2012-02-26 15:18:58 +01:00
|
|
|
def main():
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-11-01 12:10:57 +01:00
|
|
|
global config, options
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2012-02-26 15:18:58 +01:00
|
|
|
# Parse command line...
|
2015-09-04 11:37:05 +02:00
|
|
|
parser = ArgumentParser(usage="%(prog)s [options] [APPID[:VERCODE] [APPID[:VERCODE] ...]]")
|
2015-09-12 08:42:50 +02:00
|
|
|
common.setup_global_opts(parser)
|
2015-09-04 11:37:05 +02:00
|
|
|
parser.add_argument("appid", nargs='*', help="app-id with optional versioncode in the form APPID[:VERCODE]")
|
|
|
|
|
options = parser.parse_args()
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-11-01 12:10:57 +01:00
|
|
|
config = common.read_config(options)
|
|
|
|
|
|
2014-05-20 23:44:47 +02:00
|
|
|
# Read all app and srclib metadata
|
2013-12-19 23:06:57 +01:00
|
|
|
allapps = metadata.read_metadata()
|
2015-09-04 11:37:05 +02:00
|
|
|
apps = common.read_app_args(options.appid, allapps, True)
|
2012-03-11 22:59:25 +01:00
|
|
|
|
2015-01-10 13:49:54 +01:00
|
|
|
probcount = 0
|
2012-01-27 23:10:08 +01:00
|
|
|
|
2013-10-29 13:23:42 +01:00
|
|
|
build_dir = 'build'
|
|
|
|
|
if not os.path.isdir(build_dir):
|
2014-01-27 16:56:55 +01:00
|
|
|
logging.info("Creating build directory")
|
2013-10-29 13:23:42 +01:00
|
|
|
os.makedirs(build_dir)
|
|
|
|
|
srclib_dir = os.path.join(build_dir, 'srclib')
|
|
|
|
|
extlib_dir = os.path.join(build_dir, 'extlib')
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2014-08-16 12:46:02 +02:00
|
|
|
for appid, app in apps.iteritems():
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2015-11-28 13:09:47 +01:00
|
|
|
if app.Disabled:
|
2014-08-16 12:46:02 +02:00
|
|
|
logging.info("Skipping %s: disabled" % appid)
|
2013-12-19 23:06:57 +01:00
|
|
|
continue
|
2015-11-28 13:09:47 +01:00
|
|
|
if not app.builds:
|
2014-08-16 12:46:02 +02:00
|
|
|
logging.info("Skipping %s: no builds specified" % appid)
|
2013-12-19 23:06:57 +01:00
|
|
|
continue
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2014-08-16 12:46:02 +02:00
|
|
|
logging.info("Processing " + appid)
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-12-19 23:06:57 +01:00
|
|
|
try:
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2015-11-28 13:09:47 +01:00
|
|
|
if app.RepoType == 'srclib':
|
|
|
|
|
build_dir = os.path.join('build', 'srclib', app.Repo)
|
2015-09-14 07:05:41 +02:00
|
|
|
else:
|
|
|
|
|
build_dir = os.path.join('build', appid)
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-12-19 23:06:57 +01:00
|
|
|
# Set up vcs interface and make sure we have the latest code...
|
2015-11-28 13:09:47 +01:00
|
|
|
vcs = common.getvcs(app.RepoType, app.Repo, build_dir)
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2015-11-28 17:55:27 +01:00
|
|
|
for build in app.builds:
|
2012-01-03 22:39:30 +01:00
|
|
|
|
2015-11-28 17:55:27 +01:00
|
|
|
if build.disable:
|
2014-01-27 16:56:55 +01:00
|
|
|
logging.info("...skipping version %s - %s" % (
|
2015-11-28 17:55:27 +01:00
|
|
|
build.version, build.get('disable', build.commit[1:])))
|
2013-12-19 23:06:57 +01:00
|
|
|
else:
|
2015-11-28 17:55:27 +01:00
|
|
|
logging.info("...scanning version " + build.version)
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-12-19 23:06:57 +01:00
|
|
|
# Prepare the source code...
|
2015-11-28 17:55:27 +01:00
|
|
|
root_dir, _ = common.prepare_source(vcs, app, build,
|
2014-05-06 19:50:52 +02:00
|
|
|
build_dir, srclib_dir,
|
|
|
|
|
extlib_dir, False)
|
2012-01-28 10:41:46 +01:00
|
|
|
|
2013-12-19 23:06:57 +01:00
|
|
|
# Do the scan...
|
2015-11-28 17:55:27 +01:00
|
|
|
count = scan_source(build_dir, root_dir, build)
|
2015-01-10 13:49:54 +01:00
|
|
|
if count > 0:
|
|
|
|
|
logging.warn('Scanner found %d problems in %s (%s)' % (
|
2015-11-28 17:55:27 +01:00
|
|
|
count, appid, build.vercode))
|
2015-01-10 13:49:54 +01:00
|
|
|
probcount += count
|
2012-01-03 16:37:29 +01:00
|
|
|
|
2013-12-19 23:06:57 +01:00
|
|
|
except BuildException as be:
|
2015-01-10 13:49:54 +01:00
|
|
|
logging.warn("Could not scan app %s due to BuildException: %s" % (
|
|
|
|
|
appid, be))
|
|
|
|
|
probcount += 1
|
2013-12-19 23:06:57 +01:00
|
|
|
except VCSException as vcse:
|
2015-01-10 13:49:54 +01:00
|
|
|
logging.warn("VCS error while scanning app %s: %s" % (appid, vcse))
|
|
|
|
|
probcount += 1
|
2013-12-19 23:06:57 +01:00
|
|
|
except Exception:
|
2015-01-10 13:49:54 +01:00
|
|
|
logging.warn("Could not scan app %s due to unknown error: %s" % (
|
|
|
|
|
appid, traceback.format_exc()))
|
|
|
|
|
probcount += 1
|
2012-02-26 15:18:58 +01:00
|
|
|
|
2014-01-27 16:56:55 +01:00
|
|
|
logging.info("Finished:")
|
2015-09-16 22:44:41 +02:00
|
|
|
print("%d problems found" % probcount)
|
2012-02-26 15:18:58 +01:00
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
main()
|
