Implement the hackage and nixpkgs meta analyzers

.gitignore

@@ -18,4 +18,8 @@ target/
 # IntelliJ
 .idea/*
 !.idea/icon.svg
-!.idea/runConfigurations/
+!.idea/runConfigurations/
+
+# nix 
+.direnv
+.pre-commit-config.yaml

pom.xml

@@ -267,6 +267,13 @@
  <scope>compile</scope>
  </dependency>
 
+ <!-- https://mvnrepository.com/artifact/org.brotli/dec -->
+ <dependency>
+ <groupId>org.brotli</groupId>
+ <artifactId>dec</artifactId>
+ <version>0.1.2</version>
+ </dependency>
+
  <dependency>
  <groupId>org.apache.httpcomponents</groupId>
  <artifactId>httpmime</artifactId>
@@ -410,7 +417,6 @@
  <version>2.35.2</version>
  <scope>test</scope>
  </dependency>
-
  <dependency>
  <groupId>com.github.stefanbirkner</groupId>
  <artifactId>system-rules</artifactId>

src/main/java/org/dependencytrack/model/RepositoryType.java

@@ -39,10 +39,13 @@ public enum RepositoryType {
  CARGO,
  GO_MODULES,
  GITHUB,
+ HACKAGE,
+ NIXPKGS,
  UNSUPPORTED;
 
  /**
  * Returns a RepositoryType for the specified PackageURL.
+ *
  * @param packageURL a package URL
  * @return a RepositoryType
  */
@@ -70,6 +73,10 @@ public static RepositoryType resolve(PackageURL packageURL) {
  return GO_MODULES;
  } else if (PackageURL.StandardTypes.GITHUB.equals(type)) {
  return GITHUB;
+ } else if ("hackage".equals(type)) {
+ return HACKAGE;
+ } else if ("nixpkgs".equals(type)) {
+ return NIXPKGS;
  }
  return UNSUPPORTED;
  }

src/main/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzer.java

@@ -0,0 +1,91 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.tasks.repositories;
+
+import alpine.common.logging.Logger;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.util.EntityUtils;
+import org.dependencytrack.exception.MetaAnalyzerException;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.json.JSONObject;
+
+import java.io.IOException;
+
+public class HackageMetaAnalyzer extends AbstractMetaAnalyzer {
+ private static final Logger LOGGER = Logger.getLogger(HackageMetaAnalyzer.class);
+ private static final String DEFAULT_BASE_URL = "https://hackage.haskell.org/";
+
+ HackageMetaAnalyzer() {
+ this.baseUrl = DEFAULT_BASE_URL;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public RepositoryType supportedRepositoryType() {
+ return RepositoryType.HACKAGE;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public boolean isApplicable(Component component) {
+ final var purl = component.getPurl();
+ return purl != null && "hackage".equals(purl.getType());
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public MetaModel analyze(final Component component) {
+ final var meta = new MetaModel(component);
+ final var purl = component.getPurl();
+ if (purl != null) {
+ final var url = baseUrl + "/package/" + purl.getName() + "/preferred";
+ try (final CloseableHttpResponse response = processHttpRequest(url)) {
+ if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
+ final var entity = response.getEntity();
+ if (entity != null) {
+ String responseString = EntityUtils.toString(entity);
+ final var deserialized = new JSONObject(responseString);
+ final var preferred = deserialized.getJSONArray("normal-version");
+ // the latest version is the first in the list
+ if (preferred != null) {
+ final var latest = preferred.getString(0);
+ meta.setLatestVersion(latest);
+ }
+ // the hackage API doesn't expose the "published_at" information
+ // we could use https://flora.pm/experimental/packages/{namespace}/{packageName}
+ // but it appears this isn't reliable yet
+ }
+ } else {
+ var statusLine = response.getStatusLine();
+ handleUnexpectedHttpResponse(LOGGER, url, statusLine.getStatusCode(), statusLine.getReasonPhrase(), component);
+ }
+ } catch (IOException ex) {
+ handleRequestException(LOGGER, ex);
+ } catch (Exception ex) {
+ throw new MetaAnalyzerException(ex);
+ }
+ }
+ return meta;
+ }
+}

src/main/java/org/dependencytrack/tasks/repositories/IMetaAnalyzer.java

@@ -135,6 +135,16 @@ static IMetaAnalyzer build(Component component) {
  if (analyzer.isApplicable(component)) {
  return analyzer;
  }
+ } else if ("hackage".equals(component.getPurl().getType())) {
+ IMetaAnalyzer analyzer = new HackageMetaAnalyzer();
+ if (analyzer.isApplicable(component)) {
+ return analyzer;
+ }
+ } else if ("nixpkgs".equals(component.getPurl().getType())) {
+ IMetaAnalyzer analyzer = new NixpkgsMetaAnalyzer();
+ if (analyzer.isApplicable(component)) {
+ return analyzer;
+ }
  }
  }
 

src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java

@@ -0,0 +1,128 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.tasks.repositories;
+
+import alpine.common.logging.Logger;
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.core5.http.HttpStatus;
+import org.apache.http.client.utils.URIBuilder;
+import org.dependencytrack.exception.MetaAnalyzerException;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.json.JSONObject;
+import org.json.JSONTokener;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.URISyntaxException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+public class NixpkgsMetaAnalyzer extends AbstractMetaAnalyzer {
+ private static final Logger LOGGER = Logger.getLogger(NixpkgsMetaAnalyzer.class);
+ private static final String DEFAULT_CHANNEL_URL = "https://channels.nixos.org/nixpkgs-unstable/packages.json.br";
+ private static final Cache<String, Map<String, String>> CACHE = Caffeine.newBuilder()
+ .expireAfterWrite(60, TimeUnit.MINUTES)
+ .maximumSize(1)
+ .build();
+
+ NixpkgsMetaAnalyzer() {
+ this.baseUrl = DEFAULT_CHANNEL_URL;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public MetaModel analyze(Component component) {
+ Map<String, String> latestVersions = CACHE.get("nixpkgs", cacheKey -> {
+ final var versions = new HashMap<String, String>();
+ try (final CloseableHttpClient client = HttpClients.createDefault()) {
+ try (final CloseableHttpResponse packagesResponse = processHttpRequest5(client)) {
+ if (packagesResponse != null && packagesResponse.getCode() == HttpStatus.SC_OK) {
+ var reader = new BufferedReader(new InputStreamReader(packagesResponse.getEntity().getContent()));
+ var packages = new JSONObject(new JSONTokener(reader)).getJSONObject("packages").toMap().values();
+ packages.forEach(pkg -> {
+ // FUTUREWORK(mangoiv): there are potentially packages with the same pname
+ if (pkg instanceof HashMap jsonPkg) {
+ final var pname = jsonPkg.get("pname");
+ final var version = jsonPkg.get("version");
+ versions.putIfAbsent((String) pname, (String) version);
+ }
+ });
+
+
+ }
+ }
+ } catch (IOException ex) {
+ LOGGER.debug(ex.toString());
+ handleRequestException(LOGGER, ex);
+ } catch (Exception ex) {
+ LOGGER.debug(ex.toString());
+ throw new MetaAnalyzerException(ex);
+ }
+ return versions;
+ });
+ final var meta = new MetaModel(component);
+ final var purl = component.getPurl();
+ if (purl != null) {
+ final var newerVersion = latestVersions.get(purl.getName());
+ if (newerVersion != null) {
+ meta.setLatestVersion(newerVersion);
+ }
+ }
+ return meta;
+ }
+
+
+ private CloseableHttpResponse processHttpRequest5(CloseableHttpClient client) throws IOException {
+ try {
+ URIBuilder uriBuilder = new URIBuilder(baseUrl);
+ final HttpGet request = new HttpGet(uriBuilder.build().toString());
+ request.addHeader("accept", "application/json");
+
+ return client.execute(request);
+
+ } catch (URISyntaxException ex) {
+ handleRequestException(LOGGER, ex);
+ return null;
+ }
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public RepositoryType supportedRepositoryType() {
+ return RepositoryType.NIXPKGS;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public boolean isApplicable(Component component) {
+ final var purl = component.getPurl();
+ return purl != null && "nixpkgs".equals(purl.getType());
+ }
+}

src/test/java/org/dependencytrack/tasks/repositories/HackageMetaAnalyzerTest.java

@@ -0,0 +1,21 @@
+package org.dependencytrack.tasks.repositories;
+
+import com.github.packageurl.PackageURL;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class HackageMetaAnalyzerTest {
+ @Test
+ public void testAnalyzer() throws Exception {
+ Component component = new Component();
+ component.setPurl(new PackageURL("pkg:hackage/singletons-th@3.1"));
+
+ HackageMetaAnalyzer analyzer = new HackageMetaAnalyzer();
+ Assert.assertTrue(analyzer.isApplicable(component));
+ Assert.assertEquals(RepositoryType.HACKAGE, analyzer.supportedRepositoryType());
+ MetaModel metaModel = analyzer.analyze(component);
+ Assert.assertNotNull(metaModel.getLatestVersion());
+ }
+}

src/test/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzerTest.java

@@ -0,0 +1,23 @@
+package org.dependencytrack.tasks.repositories;
+
+import com.github.packageurl.PackageURL;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.RepositoryType;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class NixpkgsMetaAnalyzerTest {
+ @Test
+ public void testAnalyzer() throws Exception {
+ final var component1 = new Component();
+ final var component2 = new Component();
+ component1.setPurl(new PackageURL("pkg:nixpkgs/SDL_sound@1.0.3"));
+ component2.setPurl(new PackageURL("pkg:nixpkgs/amarok@2.9.71"));
+ final var analyzer = new NixpkgsMetaAnalyzer();
+ Assert.assertTrue(analyzer.isApplicable(component1));
+ Assert.assertTrue(analyzer.isApplicable(component2));
+ Assert.assertEquals(RepositoryType.NIXPKGS, analyzer.supportedRepositoryType());
+ Assert.assertNotNull(analyzer.analyze(component1).getLatestVersion());
+ Assert.assertNotNull(analyzer.analyze(component2).getLatestVersion());
+ }
+}