Skip to content

Commit

Permalink
Validate uploaded BOMs against CycloneDX schema
Browse files Browse the repository at this point in the history 
Closes DependencyTrack#3218

Signed-off-by: nscuro <[email protected]>
  • Loading branch information
@nscuro
nscuro committed Mar 3, 2024
1 parent 8b23434 commit c79c560
Show file tree
Hide file tree
Showing 12 changed files with 689 additions and 3 deletions.
5 changes: 5 additions & 0 deletions docs/_posts/2024-xx-xx-v4.11.0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ to `true`. Users are highly encouraged to do so.
* Add more context to logs emitted during BOM processing - [apiserver/#3357]
* BOM format, spec version, serial number, and version
* Project UUID, name, and version
* Validate uploaded BOMs against CycloneDX schema prior to processing them - [apiserver/#3522]
* Align retry configuration and behavior across analyzers - [apiserver/#3494]

**Fixes:**
Expand All @@ -31,6 +32,9 @@ to `true`. Users are highly encouraged to do so.

**Upgrade Notes:**

* To enable the optimized BOM ingestion, set the environment variable `BOM_PROCESSING_TASK_V2_ENABLED` to `true`
* Validation of uploaded BOMs and VEXs is enabled per default, but can be disabled by setting the environment
variable `BOM_VALIDATION_ENABLED` to `false`
* The default logging configuration ([logback.xml]) was updated to include the [Mapped Diagnostic Context] (MDC)
* Users who [customized their logging configuration] are recommended to follow this change
* The following configuration properties were renamed:
Expand Down Expand Up @@ -81,6 +85,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi

[apiserver/#3357]: https://github.com/DependencyTrack/dependency-track/pull/3357
[apiserver/#3494]: https://github.com/DependencyTrack/dependency-track/pull/3494
[apiserver/#3522]: https://github.com/DependencyTrack/dependency-track/pull/3522

[@malice00]: https://github.com/malice00
[@mehab]: https://github.com/mehab
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/org/dependencytrack/common/ConfigKey.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ public enum ConfigKey implements Config.Key {
REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_LOCK_BUCKETS("repo.meta.analyzer.cacheStampedeBlocker.lock.buckets", 1000),
REPO_META_ANALYZER_CACHE_STAMPEDE_BLOCKER_MAX_ATTEMPTS("repo.meta.analyzer.cacheStampedeBlocker.max.attempts", 10),
SYSTEM_REQUIREMENT_CHECK_ENABLED("system.requirement.check.enabled", true),
BOM_PROCESSING_TASK_V2_ENABLED("bom.processing.task.v2.enabled", false);
BOM_PROCESSING_TASK_V2_ENABLED("bom.processing.task.v2.enabled", false),
BOM_VALIDATION_ENABLED("bom.validation.enabled", true);

private final String propertyName;
private final Object defaultValue;
Expand Down
200 changes: 200 additions & 0 deletions src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) Steve Springett. All Rights Reserved.
*/
package org.dependencytrack.parser.cyclonedx;

import alpine.common.logging.Logger;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonToken;
import com.fasterxml.jackson.databind.json.JsonMapper;
import org.codehaus.stax2.XMLInputFactory2;
import org.cyclonedx.CycloneDxSchema;
import org.cyclonedx.exception.ParseException;
import org.cyclonedx.parsers.JsonParser;
import org.cyclonedx.parsers.Parser;
import org.cyclonedx.parsers.XmlParser;

import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.events.XMLEvent;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;

import static org.cyclonedx.CycloneDxSchema.NS_BOM_10;
import static org.cyclonedx.CycloneDxSchema.NS_BOM_11;
import static org.cyclonedx.CycloneDxSchema.NS_BOM_12;
import static org.cyclonedx.CycloneDxSchema.NS_BOM_13;
import static org.cyclonedx.CycloneDxSchema.NS_BOM_14;
import static org.cyclonedx.CycloneDxSchema.NS_BOM_15;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_10;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_11;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_12;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_13;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_14;
import static org.cyclonedx.CycloneDxSchema.Version.VERSION_15;

/**
* @since 4.11.0
*/
public class CycloneDxValidator {

private static final Logger LOGGER = Logger.getLogger(CycloneDxValidator.class);

private final JsonMapper jsonMapper = new JsonMapper();

public void validate(final byte[] bomBytes) {
final FormatAndVersion formatAndVersion = detectFormatAndSchemaVersion(bomBytes);

final Parser bomParser = switch (formatAndVersion.format()) {
case JSON -> new JsonParser();
case XML -> new XmlParser();
};

final List<ParseException> validationErrors;
try {
validationErrors = bomParser.validate(bomBytes, formatAndVersion.version());
} catch (IOException e) {
throw new RuntimeException("Failed to validate BOM", e);
}

if (!validationErrors.isEmpty()) {
throw new InvalidBomException("BOM is invalid", validationErrors.stream()
.map(ParseException::getMessage)
.toList());
}
}

private FormatAndVersion detectFormatAndSchemaVersion(final byte[] bomBytes) {
try {
final CycloneDxSchema.Version version = detectSchemaVersionFromJson(bomBytes);
return new FormatAndVersion(Format.JSON, version);
} catch (JsonParseException e) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Failed to parse BOM as JSON", e);
}
} catch (IOException e) {
throw new RuntimeException(e);
}

try {
final CycloneDxSchema.Version version = detectSchemaVersionFromXml(bomBytes);
return new FormatAndVersion(Format.XML, version);
} catch (XMLStreamException e) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Failed to parse BOM as XML", e);
}
}

throw new InvalidBomException("BOM is neither valid JSON nor XML");
}

private CycloneDxSchema.Version detectSchemaVersionFromJson(final byte[] bomBytes) throws IOException {
try (final com.fasterxml.jackson.core.JsonParser jsonParser = jsonMapper.createParser(bomBytes)) {
JsonToken currentToken = jsonParser.nextToken();
if (currentToken != JsonToken.START_OBJECT) {
final String currentTokenAsString = Optional.ofNullable(currentToken)
.map(JsonToken::asString).orElse(null);
throw new JsonParseException(jsonParser, "Expected token %s, but got %s"
.formatted(JsonToken.START_OBJECT.asString(), currentTokenAsString));
}

CycloneDxSchema.Version schemaVersion = null;
while (jsonParser.nextToken() != JsonToken.END_OBJECT) {
final String fieldName = jsonParser.getCurrentName();
if ("specVersion".equals(fieldName)) {
if (jsonParser.nextToken() == JsonToken.VALUE_STRING) {
final String specVersion = jsonParser.getValueAsString();
schemaVersion = switch (jsonParser.getValueAsString()) {
case "1.0", "1.1" ->
throw new InvalidBomException("JSON is not supported for specVersion %s".formatted(specVersion));
case "1.2" -> VERSION_12;
case "1.3" -> VERSION_13;
case "1.4" -> VERSION_14;
case "1.5" -> VERSION_15;
default ->
throw new InvalidBomException("Unrecognized specVersion %s".formatted(specVersion));
};
}
}

if (schemaVersion != null) {
return schemaVersion;
}
}

throw new InvalidBomException("Unable to determine schema version from JSON");
}
}

private CycloneDxSchema.Version detectSchemaVersionFromXml(final byte[] bomBytes) throws XMLStreamException {
final XMLInputFactory xmlInputFactory = XMLInputFactory2.newFactory();
final var bomBytesStream = new ByteArrayInputStream(bomBytes);
final XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(bomBytesStream);

CycloneDxSchema.Version schemaVersion = null;
while (xmlStreamReader.hasNext()) {
if (xmlStreamReader.next() == XMLEvent.START_ELEMENT) {
if (!"bom".equalsIgnoreCase(xmlStreamReader.getLocalName())) {
continue;
}

final var namespaceUrisSeen = new ArrayList<String>();
for (int i = 0; i < xmlStreamReader.getNamespaceCount(); i++) {
final String namespaceUri = xmlStreamReader.getNamespaceURI(i);
namespaceUrisSeen.add(namespaceUri);

schemaVersion = switch (namespaceUri) {
case NS_BOM_10 -> VERSION_10;
case NS_BOM_11 -> VERSION_11;
case NS_BOM_12 -> VERSION_12;
case NS_BOM_13 -> VERSION_13;
case NS_BOM_14 -> VERSION_14;
case NS_BOM_15 -> VERSION_15;
default -> null;
};
}

if (schemaVersion == null) {
throw new InvalidBomException("Unable to determine schema version from XML namespaces %s"
.formatted(namespaceUrisSeen));
}

break;
}
}

if (schemaVersion == null) {
throw new InvalidBomException("Unable to determine schema version from XML");
}

return schemaVersion;
}

private enum Format {
JSON,
XML
}

private record FormatAndVersion(Format format, CycloneDxSchema.Version version) {
}

}
49 changes: 49 additions & 0 deletions src/main/java/org/dependencytrack/parser/cyclonedx/InvalidBomException.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) Steve Springett. All Rights Reserved.
*/
package org.dependencytrack.parser.cyclonedx;

import java.util.Collections;
import java.util.List;

public class InvalidBomException extends RuntimeException {

private final List<String> validationErrors;

InvalidBomException(final String message) {
this(message, (Throwable) null);
}

InvalidBomException(final String message, final Throwable cause) {
this(message, cause, Collections.emptyList());
}

InvalidBomException(final String message, final List<String> validationErrors) {
this(message, null, validationErrors);
}

private InvalidBomException(final String message, final Throwable cause, final List<String> validationErrors) {
super(message, cause);
this.validationErrors = validationErrors;
}

public List<String> getValidationErrors() {
return validationErrors;
}

}
37 changes: 37 additions & 0 deletions src/main/java/org/dependencytrack/resources/v1/BomResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.dependencytrack.resources.v1;

import alpine.Config;
import alpine.common.logging.Logger;
import alpine.event.framework.Event;
import alpine.server.auth.PermissionRequired;
Expand All @@ -34,11 +35,15 @@
import org.cyclonedx.CycloneDxMediaType;
import org.cyclonedx.exception.GeneratorException;
import org.dependencytrack.auth.Permissions;
import org.dependencytrack.common.ConfigKey;
import org.dependencytrack.event.BomUploadEvent;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.Project;
import org.dependencytrack.parser.cyclonedx.CycloneDXExporter;
import org.dependencytrack.parser.cyclonedx.CycloneDxValidator;
import org.dependencytrack.parser.cyclonedx.InvalidBomException;
import org.dependencytrack.persistence.QueryManager;
import org.dependencytrack.resources.v1.problems.InvalidBomProblemDetails;
import org.dependencytrack.resources.v1.vo.BomSubmitRequest;
import org.dependencytrack.resources.v1.vo.BomUploadResponse;
import org.dependencytrack.resources.v1.vo.IsTokenBeingProcessedResponse;
Expand All @@ -57,6 +62,7 @@
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.io.ByteArrayInputStream;
Expand Down Expand Up @@ -199,6 +205,7 @@ public Response exportComponentAsCycloneDx (
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Upload a supported bill of material format document", notes = "Expects CycloneDX along and a valid project UUID. If a UUID is not specified, then the projectName and projectVersion must be specified. Optionally, if autoCreate is specified and 'true' and the project does not exist, the project will be created. In this scenario, the principal making the request will additionally need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission.", response = BomUploadResponse.class, nickname = "UploadBomBase64Encoded")
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid BOM", response = InvalidBomProblemDetails.class),
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
Expand Down Expand Up @@ -264,6 +271,7 @@ public Response uploadBom(BomSubmitRequest request) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Upload a supported bill of material format document", notes = "Expects CycloneDX along and a valid project UUID. If a UUID is not specified, then the projectName and projectVersion must be specified. Optionally, if autoCreate is specified and 'true' and the project does not exist, the project will be created. In this scenario, the principal making the request will additionally need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission.", response = BomUploadResponse.class, nickname = "UploadBom")
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid BOM", response = InvalidBomProblemDetails.class),
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
Expand Down Expand Up @@ -353,6 +361,7 @@ private Response process(QueryManager qm, Project project, String encodedBomData
final byte[] decoded = Base64.getDecoder().decode(encodedBomData);
try (final ByteArrayInputStream bain = new ByteArrayInputStream(decoded)) {
final byte[] content = IOUtils.toByteArray(new BOMInputStream((bain)));
validate(content);
final BomUploadEvent bomUploadEvent = new BomUploadEvent(qm.getPersistenceManager().detachCopy(project), content);
Event.dispatch(bomUploadEvent);
return Response.ok(Collections.singletonMap("token", bomUploadEvent.getChainIdentifier())).build();
Expand All @@ -376,6 +385,7 @@ private Response process(QueryManager qm, Project project, List<FormDataBodyPart
}
try (InputStream in = bodyPartEntity.getInputStream()) {
final byte[] content = IOUtils.toByteArray(new BOMInputStream((in)));
validate(content);
// todo: make option to combine all the bom data so components are reconciled in a single pass.
// todo: https://github.com/DependencyTrack/dependency-track/issues/130
final BomUploadEvent bomUploadEvent = new BomUploadEvent(qm.getPersistenceManager().detachCopy(project), content);
Expand All @@ -396,4 +406,31 @@ private Response process(QueryManager qm, Project project, List<FormDataBodyPart
return Response.ok().build();
}

static void validate(final byte[] bomBytes) {
if (!Config.getInstance().getPropertyAsBoolean(ConfigKey.BOM_VALIDATION_ENABLED)) {
return;
}

try {
final var validator = new CycloneDxValidator();
validator.validate(bomBytes);
} catch (InvalidBomException e) {
final var problemDetails = new InvalidBomProblemDetails();
problemDetails.setTitle(e.getMessage());
if (!e.getValidationErrors().isEmpty()) {
problemDetails.setErrors(e.getValidationErrors());
}

final Response response = Response.status(Response.Status.BAD_REQUEST)
.entity(problemDetails)
.build();

throw new WebApplicationException(response);
} catch (RuntimeException e) {
LOGGER.error("Failed to validate BOM", e);
final Response response = Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
throw new WebApplicationException(response);
}
}

}
2 changes: 2 additions & 0 deletions src/main/java/org/dependencytrack/resources/v1/VexResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ private Response process(QueryManager qm, Project project, String encodedVexData
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
final byte[] decoded = Base64.getDecoder().decode(encodedVexData);
BomResource.validate(decoded);
final VexUploadEvent vexUploadEvent = new VexUploadEvent(project.getUuid(), decoded);
Event.dispatch(vexUploadEvent);
return Response.ok(Collections.singletonMap("token", vexUploadEvent.getChainIdentifier())).build();
Expand All @@ -217,6 +218,7 @@ private Response process(QueryManager qm, Project project, List<FormDataBodyPart
}
try (InputStream in = bodyPartEntity.getInputStream()) {
final byte[] content = IOUtils.toByteArray(new BOMInputStream((in)));
BomResource.validate(content);
final VexUploadEvent vexUploadEvent = new VexUploadEvent(project.getUuid(), content);
Event.dispatch(vexUploadEvent);
return Response.ok(Collections.singletonMap("token", vexUploadEvent.getChainIdentifier())).build();
Expand Down
Loading

0 comments on commit c79c560

Please sign in to comment.