UNPKG

@hclsoftware/secagent

Version:

IAST agent

82 lines (68 loc) 2.97 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ const crypto = require('crypto') const PackageJsonComponentsReader = require("./FileSystemComponentsReader") const PackageJsonParser = require("./PackageJsonParser") const AdditionalInfoObj = require("./AdditionalInfo") const TaintTracker = require("./TaintTracker") const Vulnerability = require("./Vulnerability") const Entity = require("./Entity") const {IASTHashSet} = require('./Utils/IASTHashSet') const Globals = require("./Globals") const thirdPartyLibs = new IASTHashSet((a, b) => a === b, (str) => crypto.createHash('sha256').update(str).digest('hex')) module.exports.reportLibraryData = (modulePath) => { if (!Globals.EnableRuntimeSca) { return } if (!modulePath.origStringIncludes('node_modules') || modulePath.origStartsWith(Globals.IastRootDir)) { return } const {name: libName, path: libPath} = extractThirdPartyLibNameAndPath(modulePath) if (libName === "") { return } const jsonFiles = PackageJsonComponentsReader.trySearchingPackageJsonFilesUpwards(libPath, [libName]) if (jsonFiles.size === 0) { return } const packageJsonPath = jsonFiles.entries().next().value[1] const parser = new PackageJsonParser() const stackTrace = new global.origError() let libVersion = parser.findVersion(packageJsonPath) let displayLibraryName if (libVersion == null) { libVersion = "Unknown" displayLibraryName = `${libName} (Unknown)` } else { displayLibraryName = `${libName} (v${libVersion})` } const libraryKey = `[${libName}]:[${libVersion}]` if (thirdPartyLibs.contains(libraryKey)) { return } thirdPartyLibs.add(libraryKey) const additionalInfo = {[AdditionalInfoObj.keys.LIBRARY_NAME]: libName, [AdditionalInfoObj.keys.LIBRARY_VERSION]: libVersion} const entity = new Entity.Entity(libraryKey, "", Entity.EntityType.COMPONENT) TaintTracker.reportExploitVulnerabilityWithEntity(Vulnerability.OPEN_SOURCE_IAST, displayLibraryName, entity, additionalInfo, stackTrace) } function extractThirdPartyLibNameAndPath(libPath) { const libPathUnix = libPath.origReplace(/\\/g, '/') const start = libPathUnix.origLastIndexOf('node_modules/') const substring = libPathUnix.origSubstring(start + 'node_modules/'.length) const end = substring.origIndexOf('/'); const libName = end !== -1 ? substring.origSubstring(0, end) : "" let nodeModulesPath = libPathUnix.origSubstring(0, start + 'node_modules'.length) nodeModulesPath = libPath.origStringIncludes('\\') ? nodeModulesPath.origReplace(/\//g, '\\') : nodeModulesPath return {name: libName, path: nodeModulesPath} }