Ane 1711 millhone jar cli program [1/3] (#1442)

* Upgrade deps. Add fingerprint-lib as a dependency to millhone.

* Initial subcommand for jar searching.

* Can fingerprint jars in a container tarfile.

* Better error handling.

* Add config for millhone for where to output traces.

* Output layer information.

* Apply suggestions from code review (Jess)

Co-authored-by: Jessica Black <[email protected]>

* Address PR requests from Jess.

* Update to latest lib-fingerprint.

* Fix fingerprints name.

* Output the observation kind so the CLI can just pass observations through.

* A type for LayerPaths.

* Hex encode millhone jar observation output.

* Apply suggestions from code review

Co-authored-by: Jessica Black <[email protected]>

* Rename analyze_jar to analyze_container.

* Ane-1711 - [2/3] integrate jar fingerprint method (#1444)

* Expose a way to get the stderr from a program when using the exec effect.

* Run millhone jar analyze as part of container scanning.

* New module.

* Parse Millhone's output properly.

* Create new output build type. Have the container analyzer include jar results.

* Add layer path to layers.

* Use container jar output from millhone to augment Container scans.

* Remove unneeded log statement.

* Fix warning.

* Refactor analyze native to fetch the organization only once.

* Implement fallback from sparkle to core.

* Rename Makefile target.

* Fix warning.

* Update comment, log message.

* Update changelog.

* Fix format.

* Output better messaging if Jar analysis fails.

* Update millhone cli command.

* Blurb mentioning Jar analysis.

* Remove bad underscore.

* Ane-1711 jar fingerprints testing [3/3] (#1445)

* CLI-side tests.

* Millhone test.

* Test against abstract JSON.

* fmt

* Try a different base to match other tests.

* Does this work still?

* Revert "Does this work still?"

This reverts commit 0dbf8ee.

* What happens if I rebuild one of the working images?

* Is upgraded tar better?

* Revert "Is upgraded tar better?"

This reverts commit 752b7aa.

* REVERT ME. Print debug for Windows.

* More traces.

* Try making sure everything is a POSIX-y path.

* Remove traces.

* Revert "REVERT ME. Print debug for Windows."

This reverts commit a4046bf.

* Revert "What happens if I rebuild one of the working images?"

This reverts commit 24e8647.

* Remove superfluous deserializations.

---------

Co-authored-by: Jessica Black <[email protected]>

Author: csasarak

Cargo.lock

@@ -1,5 +1,9 @@
 # FOSSA CLI Changelog
 
+## 3.9.24
+
+- Container Scanning: Attempt to find JAR files in container images and report them as dependencies. ([#1442](https://github.com/fossas/fossa-cli/pull/1442), [#1444](https://github.com/fossas/fossa-cli/pull/1444))
+
 ## 3.9.23
 
 - Reachability: For organizations that don't have reachability turned on suppress messages about it. ([#1440](https://github.com/fossas/fossa-cli/pull/1440))

Changelog.md

@@ -122,6 +122,10 @@ lint-cargo:
 	@cargo clippy -V
 	@cargo clippy
 
+# Build cargo deps needed b y the CLI and move them into place for cabal.
+build-embedded-rust-bins: target/release/berkeleydb target/release/millhone
+	cargo build --release --bin millhone --bin berkeleydb
+
 # Runs linter on only modified files
 # 
 # When running in docker, we have to tell git that the directory which doesn't belong to us is safe.

Makefile

@@ -99,6 +99,7 @@ Concept guides explain the nuances behind how basic FOSSA primitives work. If yo
   - [From Docker Engine](./references/subcommands/container/scanner.md#2-from-docker-engine)
   - [From Container Registries](./references/subcommands/container/scanner.md#3-from-registries)
 - [Supported Container Package Managers](./references/subcommands/container/scanner.md#supported-container-package-managers)
+  - [Container Jar File Analysis](./references/subcommands/container/scanner.md#container-jar-analysis)
 - [Viewing Detected Projects](./references/subcommands/container/scanner.md#view-detected-projects)
 - [Configuring Container Analysis Targets](./references/subcommands/container/scanner.md#utilize-analysis-target-configuration)
 - [Integrating Container Scanning in CI](./walkthroughs/container-scanning-generic-ci.md)

docs/README.md

@@ -8,6 +8,7 @@
     - [2) From Docker Engine](#2-from-docker-engine)
     - [3) From registries](#3-from-registries)
   - [Container image analysis](#container-image-analysis)
+    - [Container Jar analysis](#container-jar-analysis)
     - [View detected projects](#view-detected-projects)
       - [Command output](#command-output)
     - [Utilize analysis target configuration](#utilize-analysis-target-configuration)
@@ -204,6 +205,14 @@ The new container scanner scans in two steps:
 1. The base layer.
 2. The rest of the layers, squashed. 
 
+### Container JAR analysis
+
+The container analyzer will try to find Java Archive (Jar) files inside each layer.
+It will then report them to FOSSA which will try to match the Jar files to the project they are a build artifact from.
+
+This process relies on there being a back-end that can perform that analysis.
+SaaS customers should have this functionality available but on-prem customers may need to contact FOSSA support to have it enabled.
+
 ### Supported Container Package Managers
 The following package managers are supported in container scanning:
 
@@ -225,6 +234,7 @@ The following package managers are supported in container scanning:
 | Nim (nimble)                         | :warning:          | [Nim](./../../strategies/languages/nim/nimble.md)                |
 | Dart (pub)                           | :warning:          | [Dart](./../../strategies/languages/dart/pub.md)                 |
 | Maven                                | :warning:          | [Maven](./../../strategies/languages/maven/maven.md)             |
+| Java Jar Files                       | :white_check_mark: | [Container Jar Analysis](#container-jar-analysis)               |
 | Golang (gomod)                       | :x:                | N/A                                                              |
 | Rust (cargo)                         | :x:                | N/A                                                              |
 | Haskell (cabal, stack)               | :x:                | N/A                                                              |

docs/references/subcommands/container/scanner.md

@@ -1,6 +1,6 @@
 [package]
 name = "millhone"
-version = "0.3.2"
+version = "0.4.0"
 edition = "2021"
 
 [features]
@@ -36,6 +36,8 @@ rayon = "1.8.0"
 atty = "0.2.14"
 tracing-subscriber = { version = "0.3.17", features = ["json"] }
 lazy-regex = { version = "3.0.2", features = ["std", "regex"] }
+fingerprint = { git = "https://github.com/fossas/lib-fingerprint.git", tag = "v3.0.0", default-features = false, features = ["fp-content-serialize-base64"] }
+tar = "0.4.41"
 
 [dev-dependencies]
 maplit = "1.0.2"

extlib/millhone/Cargo.toml

@@ -20,6 +20,7 @@ use typed_builder::TypedBuilder;
 use walkdir::DirEntry;
 
 pub mod analyze;
+pub mod analyze_container;
 pub mod commit;
 pub mod ingest;
 pub mod ping;

extlib/millhone/src/cmd.rs

@@ -0,0 +1,239 @@
+use std::{
+    collections::{HashMap, HashSet},
+    fs::File,
+    io::{BufWriter, Read},
+    path::PathBuf,
+};
+
+use clap::Parser;
+use fingerprint::Combined;
+use getset::Getters;
+use serde::{Deserialize, Serialize};
+use stable_eyre::{eyre::Context, Result};
+use tar::{Archive, Entry};
+use tracing::{debug, info, info_span, warn};
+use typed_builder::TypedBuilder;
+
+#[derive(Debug, Parser, Getters)]
+#[getset(get = "pub")]
+#[clap(version)]
+pub struct Subcommand {
+    /// The tar file image to search and fingerprint jars in.
+    image_tar_file: PathBuf,
+}
+
+const JAR_OBSERVATION: &str = "v1.discover.binary.jar";
+
+#[derive(Debug, PartialEq, Eq, Serialize, Clone)]
+struct DiscoveredJar {
+    kind: &'static str,
+    path: PathBuf,
+    fingerprints: Combined,
+}
+
+impl DiscoveredJar {
+    fn new(path: PathBuf, fingerprints: Combined) -> Self {
+        DiscoveredJar {
+            kind: JAR_OBSERVATION,
+            path,
+            fingerprints,
+        }
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Deserialize)]
+struct OciManifest {
+    #[serde(rename = "Layers")]
+    layers: Vec<PathBuf>,
+}
+
+/// The path in the manifest file corresponding to a layer.
+#[derive(Debug, PartialEq, Eq, Serialize, Hash)]
+struct LayerPath(PathBuf);
+
+#[derive(Debug, PartialEq, Eq, Serialize, TypedBuilder)]
+struct JarAnalysis {
+    /// Jars and fingerprints associated with each layer in a jar file.
+    discovered_jars: HashMap<LayerPath, Vec<DiscoveredJar>>,
+}
+
+#[tracing::instrument]
+pub fn main(opts: Subcommand) -> Result<()> {
+    let tar_filename = opts.image_tar_file();
+    let jar_analysis = jars_in_container(opts.image_tar_file())
+        .with_context(|| format!("analyze container: {:?}", tar_filename))?;
+
+    let mut stdout = BufWriter::new(std::io::stdout());
+    serde_json::to_writer(&mut stdout, &jar_analysis).context("Serialize Results")
+}
+
+/// Extracts the container (saved via `docker save`) and finds JAR files inside any layer.
+/// For each one found, fingerprints it and reports all those fingerprints along with their
+/// layer and path.
+#[tracing::instrument]
+fn jars_in_container(image_path: &PathBuf) -> Result<JarAnalysis> {
+    // Visit each layer and fingerprint the JARs within.
+    info!("inspecting container");
+    let layers = list_container_layers(image_path)?;
+    let mut discoveries = HashMap::new();
+
+    let mut image = unpack(image_path)?;
+    for entry in image.entries().context("iterate entries")? {
+        let entry = entry.context("read entry")?;
+        let path = entry.path().context("read path")?;
+        if !layers.contains(path.as_ref()) {
+            debug!(?path, "skipped: not a layer file");
+            continue;
+        }
+
+        let layer = path.to_path_buf();
+        // Layers should have a form like blob
+        let layer_discoveries =
+            jars_in_layer(entry).with_context(|| format!("read layer '{layer:?}'"))?;
+        discoveries.insert(LayerPath(layer), layer_discoveries);
+    }
+
+    Ok(JarAnalysis {
+        discovered_jars: discoveries,
+    })
+}
+
+/// Open and unpack a file and put it into a tar.
+/// This is done repeatedly because `entries()` can only be read once from an Archive.
+#[tracing::instrument]
+fn unpack(path: &PathBuf) -> Result<Archive<File>> {
+    let file = File::open(path).context("open tar file")?;
+    Ok(tar::Archive::new(file))
+}
+
+#[tracing::instrument(skip(entry))]
+fn jars_in_layer(entry: Entry<'_, impl Read>) -> Result<Vec<DiscoveredJar>> {
+    let mut discoveries = Vec::new();
+
+    let mut entry_archive = tar::Archive::new(entry);
+    for entry in entry_archive.entries().context("list entries in layer")? {
+        let entry = entry.context("read entry")?;
+        let path = entry.path().context("read path")?;
+        if !path.to_string_lossy().ends_with(".jar") {
+            debug!(?path, "skipped: not a jar file");
+            continue;
+        }
+
+        let path = path.to_path_buf();
+
+        info_span!("jar", ?path).in_scope(|| -> Result<()> {
+            debug!("fingerprinting");
+            let entry = buffer(entry).context("read jar file")?;
+
+            match Combined::from_buffer(entry) {
+                Ok(fingerprints) => discoveries.push(DiscoveredJar::new(path, fingerprints)),
+                Err(e) => warn!("failed to fingerprint: {e:?}"),
+            }
+
+            Ok(())
+        })?;
+    }
+
+    Ok(discoveries)
+}
+
+#[tracing::instrument]
+fn list_container_layers(layer_path: &PathBuf) -> Result<HashSet<PathBuf>> {
+    let mut layers = HashSet::new();
+
+    let mut container = unpack(layer_path)?;
+    for entry in container.entries().context("list entries")? {
+        let entry = match entry {
+            Ok(entry) => entry,
+            Err(e) => {
+                warn!("failed to read entry: {e:?}");
+                continue;
+            }
+        };
+
+        let path = match entry.path() {
+            Ok(path) => path,
+            Err(e) => {
+                warn!("Failed to read entry path: {e:?}");
+                continue;
+            }
+        };
+
+        if !path.ends_with("manifest.json") {
+            debug!(?path, "skipped: not a manifest file");
+            continue;
+        }
+
+        info!(?path, "extracting manifests for image");
+        let manifests: Vec<OciManifest> = serde_json::from_reader(entry)
+            .with_context(|| format!("parse manifest: {layer_path:?}"))?;
+
+        for manifest in manifests {
+            layers.extend(manifest.layers);
+        }
+
+        // There's only one manifest file.
+        break;
+    }
+
+    Ok(layers)
+}
+
+#[tracing::instrument(skip(reader))]
+fn buffer(mut reader: impl Read) -> Result<Vec<u8>> {
+    let mut buf = Vec::new();
+    reader.read_to_end(&mut buf).context("Read buffer")?;
+    Ok(buf)
+}
+
+#[cfg(test)]
+mod tests {
+    use serde_json::Value;
+    use tap::Pipe;
+
+    use super::*;
+
+    const MILLHONE_OUT: &str = r#"{
+  "discovered_jars": {
+    "blobs/sha256/5c079c30beb013e4b2f7729b6bdce6fba57941d28f20db985333fc1dd969f018": [
+      {
+        "kind": "v1.discover.binary.jar",
+        "path": "inner_directory/commons-email2-jakarta-2.0.0-M1.jar",
+        "fingerprints": {
+          "v1.mavencentral.jar": "6bzpyKql6Q+UxKQgm14pcP4wHGo=",
+          "v1.raw.jar": "QA4SAurtJeo+lx1Vqve5uQYnvDKLFx1NgsSuoWKi8pw=",
+          "sha_256": "MuEcK3nOFuySTTg4HOJi3vvTpI9bYspfMHa9AK2merQ=",
+          "v1.class.jar": "2wRGbMGyGRwEXqNm53h1YK8OO879kvzDxazmJXiAcfI="
+        }
+      }
+    ],
+    "blobs/sha256/9733ccc395133a067f01ee6e380003d80fe9f443673e0f992ae6a4a7860a872c": [],
+    "blobs/sha256/61aed1a8baa251dee118b9ab203c1e420f0eda0a9b3f9322d67d235dd27a12ee": [
+      {
+        "kind": "v1.discover.binary.jar",
+        "path": "jackson-annotations-2.17.1.jar",
+        "fingerprints": {
+          "v1.mavencentral.jar": "/KfvYZLJrQXQe8UNqZG/k3qErzo=",
+          "sha_256": "/MrYLhMXLA5DhNtxV3IZybhjHAgg9LGNqqVwFvtmHHY=",
+          "v1.class.jar": "t2Btr6rNrvzghM5Nud2uldRGVjw0/n5rK9j0xooQQyk=",
+          "v1.raw.jar": "wjGJk8cvY4tpKcUC5r8YuO15Wfv+rVuyWANBYCUIeDs="
+        }
+      }
+    ]
+  }
+}"#;
+
+    #[test]
+    fn it_finds_expected_output() {
+        let image_tar_file =
+            PathBuf::from("../../test/App/Fossa/Container/testdata/jar_test_container.tar");
+
+        let res = jars_in_container(&image_tar_file)
+            .expect("Read jars out of container image.")
+            .pipe(serde_json::to_value)
+            .expect("encode as json");
+
+        let expected: Value = serde_json::from_str(MILLHONE_OUT).expect("Parse expected json");
+        pretty_assertions::assert_eq!(expected, res);
+    }
+}