Merge pull request #13 from octarinesec/spring4shell_hotfix

Spring4shell hotfix
octarinesec · Apr 6, 2022 · 8dc42e7 · 8dc42e7
2 parents 7c18f6a + 2690848
commit 8dc42e7
Showing 1 changed file with 39 additions and 12 deletions.
diff --git a/anchore_engine/db/entities/policy_engine.py b/anchore_engine/db/entities/policy_engine.py
@@ -2126,7 +2126,8 @@ def get_pom_properties(self):
                 kv = line.split("=")
                 key = kv[0].strip()
                 value = "=".join(kv[1:]).strip()
-                props[key] = value
+                if value != "None":
+                    props[key] = value
         return props
 
     def find_vulnerabilities(self):
@@ -2153,16 +2154,29 @@ def find_vulnerabilities(self):
 
         pkgkey = pkgversion = None
         likematch = None
+        pkg_name_like = None
         if self.pkg_type in ["java", "maven"]:
             # search for maven hits
             if self.metadata_json:
                 pombuf = self.metadata_json.get("pom.properties", "")
                 if pombuf:
                     pomprops = self.get_pom_properties()
-                    pkgkey = "{}:{}".format(
-                        pomprops.get("groupId"), pomprops.get("artifactId")
-                    )
-                    pkgversion = pomprops.get("version", None)
+                    # TODO - remove this spring4shell hotfix
+                    #  normalization in case of empty pomprops
+                    # {"pom.properties": "groupId=None, artifactId=None, version=None"}
+                    if pomprops.get("groupId") and pomprops.get("artifactId"):
+                        pkgkey = "{}:{}".format(
+                            pomprops.get("groupId"), pomprops.get("artifactId")
+                        )
+                    elif "spring" in self.name:
+                        pkg_name_like = "%{}%".format(self.name)
+                    else:
+                        pkgkey = self.name
+                    if pomprops.get("version", None):
+                        pkgversion = pomprops.get("version", None)
+                    else:
+                        pkgversion = self.version
+
                     likematch = "%java%"
                     do_langscan = True
 
@@ -2211,13 +2225,26 @@ def find_vulnerabilities(self):
                 log.debug(
                     "performing LANGPACK vuln scan {} - {}".format(pkgkey, pkgversion)
                 )
-                if pkgkey and pkgversion and likematch:
-                    candidates = (
-                        db.query(FixedArtifact)
-                        .filter(FixedArtifact.name == pkgkey)
-                        .filter(FixedArtifact.version_format == "semver")
-                        .filter(FixedArtifact.namespace_name.like(likematch))
-                    )
+                if (pkgkey or pkg_name_like) and pkgversion and likematch:
+                    if pkg_name_like:
+                        log.debug(
+                            "performing LANGPACK like vuln scan {} - {}".format(
+                                pkg_name_like, pkgversion
+                            )
+                        )
+                        candidates = (
+                            db.query(FixedArtifact)
+                            .filter(FixedArtifact.name.like(pkg_name_like))
+                            .filter(FixedArtifact.version_format == "semver")
+                            .filter(FixedArtifact.namespace_name.like(likematch))
+                        )
+                    else:
+                        candidates = (
+                            db.query(FixedArtifact)
+                            .filter(FixedArtifact.name == pkgkey)
+                            .filter(FixedArtifact.version_format == "semver")
+                            .filter(FixedArtifact.namespace_name.like(likematch))
+                        )
                     for candidate in candidates:
                         if (
                             candidate.vulnerability_id