-
Notifications
You must be signed in to change notification settings - Fork 0
/
techduediligence.py
354 lines (300 loc) · 13.7 KB
/
techduediligence.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
import os
import json
import re
import asyncio
from collections import defaultdict
import aiohttp
import logging
from datetime import datetime
from xml.etree import ElementTree as ET
from aiohttp import ClientResponseError
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logger = logging.getLogger(__name__)
async def fetch_with_retry(session, url, max_retries=5, base_delay=1):
for attempt in range(max_retries):
try:
async with session.get(url) as response:
response.raise_for_status()
return await response.json()
except ClientResponseError as e:
if e.status == 429: # Too Many Requests
delay = base_delay * (2 ** attempt)
logger.warning(f"Rate limited. Retrying in {delay} seconds...")
await asyncio.sleep(delay)
else:
raise
except Exception as e:
logger.error(f"Error fetching {url}: {str(e)}")
if attempt == max_retries - 1:
raise
await asyncio.sleep(base_delay)
return None
async def get_pypi_info(session, package_name):
logger.info(f"Fetching PyPI info for package: {package_name}")
url = f"https://pypi.org/pypi/{package_name}/json"
try:
data = await fetch_with_retry(session, url)
if not data:
return None
info = data['info']
return {
'name': info['name'],
'description': info['summary'],
'author': info['author'],
'license': info['license'],
'project_url': info['project_url'],
'release_date': data['releases'][info['version']][0]['upload_time']
}
except Exception as e:
logger.error(f"Error processing PyPI info for {package_name}: {str(e)}")
return None
async def get_nuget_info(session, package_name):
logger.info(f"Fetching NuGet info for package: {package_name}")
url = f"https://api.nuget.org/v3/registration5-semver1/{package_name.lower()}/index.json"
try:
data = await fetch_with_retry(session, url)
if not data:
return None
latest = data['items'][0]['items'][-1]['catalogEntry']
return {
'name': latest['id'],
'description': latest.get('description', 'N/A'),
'author': latest.get('authors', 'N/A'),
'license': latest.get('licenseExpression', 'N/A'),
'project_url': latest.get('projectUrl', 'N/A'),
'release_date': latest['published']
}
except Exception as e:
logger.error(f"Error processing NuGet info for {package_name}: {str(e)}")
return None
async def get_npm_info(session, package_name):
logger.info(f"Fetching npm info for package: {package_name}")
url = f"https://registry.npmjs.org/{package_name}"
try:
data = await fetch_with_retry(session, url)
if not data:
return None
latest = data['versions'][data['dist-tags']['latest']]
return {
'name': data['name'],
'description': data.get('description', 'N/A'),
'author': data.get('author', {}).get('name', 'N/A') if isinstance(data.get('author'), dict) else data.get(
'author', 'N/A'),
'license': latest.get('license', 'N/A'),
'project_url': data.get('homepage', 'N/A'),
'release_date': data.get('time', {}).get(data['dist-tags']['latest'], 'N/A')
}
except Exception as e:
logger.error(f"Error processing npm info for {package_name}: {str(e)}")
return None
def parse_requirements_txt(file_path):
logger.info(f"Parsing requirements.txt file: {file_path}")
with open(file_path, 'r') as file:
return [line.strip().split('==')[0] for line in file if line.strip() and not line.startswith('#')]
def parse_csproj(file_path):
logger.info(f"Parsing .csproj file: {file_path}")
tree = ET.parse(file_path)
root = tree.getroot()
packages = []
for item_group in root.findall(".//ItemGroup"):
for package_ref in item_group.findall("PackageReference"):
packages.append(package_ref.get("Include"))
return packages
def parse_package_json(file_path):
logger.info(f"Parsing package.json file: {file_path}")
with open(file_path, 'r') as file:
data = json.load(file)
dependencies = data.get("dependencies", {})
dev_dependencies = data.get("devDependencies", {})
return list(dependencies.keys()) + list(dev_dependencies.keys())
def parse_gemfile(file_path):
logger.info(f"Parsing Gemfile: {file_path}")
with open(file_path, 'r') as file:
return [line.split("'")[1] for line in file if line.strip().startswith("gem '")]
def parse_composer_json(file_path):
logger.info(f"Parsing composer.json file: {file_path}")
with open(file_path, 'r') as file:
data = json.load(file)
return list(data.get("require", {}).keys())
def parse_cargo_toml(file_path):
logger.info(f"Parsing Cargo.toml file: {file_path}")
dependencies = []
with open(file_path, 'r') as file:
in_dependencies = False
for line in file:
if line.strip() == "[dependencies]":
in_dependencies = True
elif in_dependencies and line.strip().startswith('['):
break
elif in_dependencies and '=' in line:
package = line.split('=')[0].strip()
dependencies.append(package)
return dependencies
async def check_vulnerability(session, package_name, ecosystem):
url = f"https://api.osv.dev/v1/query"
ecosystem_map = {
'PyPI': 'PyPI',
'NuGet': 'NuGet',
'npm': 'npm',
'Ruby': 'RubyGems',
'PHP': 'Packagist',
'Rust': 'crates.io'
}
data = {
"package": {
"name": package_name,
"ecosystem": ecosystem_map.get(ecosystem, ecosystem)
}
}
try:
async with session.post(url, json=data) as response:
response.raise_for_status()
result = await response.json()
return len(result.get("vulns", [])) > 0
except Exception as e:
logger.error(f"Error checking vulnerability for {package_name} in {ecosystem}: {str(e)}")
return False
async def fetch_package_info(session, package_type, package_name):
info = None
if package_type == 'PyPI':
info = await get_pypi_info(session, package_name)
elif package_type == 'NuGet':
info = await get_nuget_info(session, package_name)
elif package_type == 'npm':
info = await get_npm_info(session, package_name)
# Add handlers for new package types here
if info:
info['has_known_vulnerability'] = await check_vulnerability(session, package_name, package_type)
return info
async def process_packages(packages):
async with aiohttp.ClientSession() as session:
tasks = []
for package_type, package_list in packages.items():
for package in package_list:
task = asyncio.ensure_future(fetch_package_info(session, package_type, package))
tasks.append((package_type, task))
results = await asyncio.gather(*[t[1] for t in tasks], return_exceptions=True)
processed_packages = {
'PyPI': [],
'NuGet': [],
'npm': [],
'Ruby': [],
'PHP': [],
'Rust': []
}
for (package_type, task), result in zip(tasks, results):
if isinstance(result, Exception):
logger.error(f"Error processing {package_type} package: {str(result)}")
elif result:
processed_packages[package_type].append(result)
await asyncio.sleep(0.1) # Small delay between requests
return processed_packages
def check_license_compatibility(license1, license2):
if license1 == 'Unknown' or license2 == 'Unknown':
return False
compatible_pairs = [
{"MIT", "Apache-2.0"},
{"MIT", "BSD-3-Clause"},
{"Apache-2.0", "BSD-3-Clause"}
]
return {license1, license2} in compatible_pairs or license1 == license2
def generate_markdown(packages):
logger.info("Generating Markdown report")
markdown = "# Tech Due Diligence Report\n\n"
markdown += "## Open Source Dependencies\n\n"
license_count = defaultdict(int)
all_packages = []
unknown_license_packages = []
for package_type, package_list in packages.items():
if package_list:
markdown += f"### {package_type} Packages\n\n"
for package in package_list:
if package: # Check if package info is not None
package['license'] = package['license'] if package['license'] not in ['N/A', '',
None] else 'Unknown'
markdown += f"#### {package['name']}\n\n"
markdown += f"- Description: {package['description']}\n"
markdown += f"- Author: {package['author']}\n"
markdown += f"- License: {package['license']}\n"
markdown += f"- Project URL: {package['project_url']}\n"
markdown += f"- Release Date: {package['release_date']}\n"
if package.get('deprecated', False):
markdown += f"- **Note: This package may be deprecated or no longer available.**\n"
markdown += f"- Known Vulnerability: {'Yes' if package.get('has_known_vulnerability') else 'No'}\n\n"
license_count[package['license']] += 1
all_packages.append(package)
if package['license'] == 'Unknown':
unknown_license_packages.append(package)
markdown += "\n## License Summary\n\n"
for license, count in license_count.items():
if license != 'Unknown':
markdown += f"- {license}: {count} package(s)\n"
if license_count['Unknown'] > 0:
markdown += f"- Unknown: {license_count['Unknown']} package(s)\n"
markdown += "\n## License Compatibility\n\n"
# Check compatibility only for known licenses that appear more than once
licenses_to_check = [license for license, count in license_count.items() if count > 1 and license != 'Unknown']
if len(licenses_to_check) > 1:
markdown += "### Potential Incompatibilities\n\n"
incompatibilities_found = False
for i, license1 in enumerate(licenses_to_check):
for license2 in licenses_to_check[i + 1:]:
if not check_license_compatibility(license1, license2):
incompatibilities_found = True
markdown += f"- {license1} may be incompatible with {license2}\n"
markdown += " Affected packages:\n"
for package in all_packages:
if package['license'] in [license1, license2]:
markdown += f" - {package['name']} ({package['license']})\n"
markdown += "\n"
if not incompatibilities_found:
markdown += "No potential license incompatibilities found among known licenses.\n\n"
else:
markdown += "All packages with known licenses use the same license or there's only one package with a known license. No compatibility issues among known licenses.\n\n"
if unknown_license_packages:
markdown += "### Packages with Unknown Licenses\n\n"
markdown += "The following packages have unknown or unspecified licenses. These should be investigated further:\n\n"
for package in unknown_license_packages:
markdown += f"- {package['name']} ({package['project_url']})\n"
markdown += "\nNote: Packages with unknown licenses are not included in the compatibility check and may pose additional licensing risks.\n\n"
return markdown
async def techduediligence(folder_path):
logger.info(f"Starting tech due diligence for folder: {folder_path}")
packages = {
'PyPI': [],
'NuGet': [],
'npm': [],
'Ruby': [],
'PHP': [],
'Rust': []
}
for root, _, files in os.walk(folder_path):
for file in files:
file_path = os.path.join(root, file)
if file.endswith('requirements.txt'):
logger.info(f"Found requirements.txt: {file_path}")
packages['PyPI'].extend(parse_requirements_txt(file_path))
elif file.endswith('.csproj'):
logger.info(f"Found .csproj file: {file_path}")
packages['NuGet'].extend(parse_csproj(file_path))
elif file == 'package.json':
logger.info(f"Found package.json: {file_path}")
packages['npm'].extend(parse_package_json(file_path))
elif file == 'Gemfile':
logger.info(f"Found Gemfile: {file_path}")
packages['Ruby'].extend(parse_gemfile(file_path))
elif file == 'composer.json':
logger.info(f"Found composer.json: {file_path}")
packages['PHP'].extend(parse_composer_json(file_path))
elif file == 'Cargo.toml':
logger.info(f"Found Cargo.toml: {file_path}")
packages['Rust'].extend(parse_cargo_toml(file_path))
processed_packages = await process_packages(packages)
markdown = generate_markdown(processed_packages)
output_file = 'tech_due_diligence_report.md'
with open(output_file, 'w') as f:
f.write(markdown)
logger.info(f"Tech Due Diligence report generated: {output_file}")
if __name__ == "__main__":
folder_path = input("Enter the folder path to analyze: ")
asyncio.run(techduediligence(folder_path))