List<JsLibraryResult> res = repo.findByUri(path); res = repo.findByFilename(filename); res = repo.findByHash(hash); res = repo.findByFileContent(contentString);
/** * This search mode will look for literal string specific to the vulnerable libraries. * @param scriptContent Complete content of the script * @return The list of vulnerable libraries found */ public List<JsLibraryResult> findByFileContent(String scriptContent) { String scriptStart = scriptContent.substring(0,Math.min(20,scriptContent.length())).replace("\n",""); Log.debug("Analysing the content: \""+scriptStart+"[..]\""); long before = System.currentTimeMillis(); List<JsLibraryResult> res = new ArrayList<JsLibraryResult>(); libLoop: for(JsLibrary lib : jsLibrares) { if(lib.getFileContents()== null) { continue; } for(String contentRegex : lib.getFileContents()) { //Extract version Pattern p = Pattern.compile(contentRegex); String version = RegexUtil.simpleMatch(p,scriptContent); if(version != null) { //Pattern match Log.debug("Pattern match \""+contentRegex+"\" !"); Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); findVersionVulnerable(lib,version,res,null,contentRegex); continue libLoop; } } } long delta = System.currentTimeMillis()-before; Log.debug("It took ~"+ (int)(delta/1000.0) +" sec. (" + delta + " ms) to scan"); return res; }
VulnerabilitiesRepository repo = new VulnerabilitiesRepository(); repo.addLibrary(lib); nbLoaded++;
/** * * @param hash Hash of the file to search * @return The list of vulnerable libraries found */ public List<JsLibraryResult> findByHash(String hash) { List<JsLibraryResult> res = new ArrayList<JsLibraryResult>(); for(JsLibrary lib : jsLibrares) { if(lib.getHashes()== null) { continue; } String version = lib.getHashes().get(hash); if(version != null) { //Pattern match Log.debug("Hash found \""+hash+"\" !"); Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); findVersionVulnerable(lib,version,res,null,null); return res; //Only one hash can match the file } } return res; }
Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); findVersionVulnerable(lib,version,res,uriRegex,null); continue libLoop;
/** * This search mode will identify the library by there filename. (official distribution filename) * @param filename Filename taken from an URI * @return The list of vulnerable libraries found */ public List<JsLibraryResult> findByFilename(String filename) { Log.debug("Analysing filename: \""+filename+"\""); long before = System.currentTimeMillis(); List<JsLibraryResult> res = new ArrayList<JsLibraryResult>(); libLoop: for(JsLibrary lib : jsLibrares) { if(lib.getFilename()== null) { continue; } for(String filenameRegex : lib.getFilename()) { //Extract version Pattern p = Pattern.compile(filenameRegex); String version = RegexUtil.simpleMatch(p,filename); if(version != null) { //Pattern match Log.debug("Pattern match \""+filenameRegex+"\" !"); Log.debug("Identify the library "+lib.getName()+" (version:"+version+")"); findVersionVulnerable(lib,version,res,filenameRegex,null); continue libLoop; } } } long delta = System.currentTimeMillis()-before; Log.debug("It took ~"+(int)(delta/1000.0)+" sec. ("+delta+" ms) to scan"); return res; }