3 # scanner.py - part of the FDroid server tools
4 # Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
6 # This program is free software: you can redistribute it and/or modify
7 # it under the terms of the GNU Affero General Public License as published by
8 # the Free Software Foundation, either version 3 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU Affero General Public License for more details.
16 # You should have received a copy of the GNU Affero General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from argparse import ArgumentParser
26 from . import metadata
27 from .exception import BuildException, VCSException
33 def get_gradle_compile_commands(build):
34 compileCommands = ['compile', 'releaseCompile']
35 if build.gradle and build.gradle != ['yes']:
36 compileCommands += [flavor + 'Compile' for flavor in build.gradle]
37 compileCommands += [flavor + 'ReleaseCompile' for flavor in build.gradle]
39 return [re.compile(r'\s*' + c, re.IGNORECASE) for c in compileCommands]
42 def scan_source(build_dir, build):
43 """Scan the source code in the given directory (and all subdirectories)
44 and return the number of fatal problems encountered
49 # Common known non-free blobs (always lower case):
51 exp: re.compile(r'.*' + exp, re.IGNORECASE) for exp in [
55 r'admob.*sdk.*android',
58 r'google.*play.*services',
62 r'youtube.*android.*player.*api',
71 def suspects_found(s):
72 for n, r in usual_suspects.items():
76 gradle_mavenrepo = re.compile(r'maven *{ *(url)? *[\'"]?([^ \'"]*)[\'"]?')
78 allowed_repos = [re.compile(r'^https?://' + re.escape(repo) + r'/*') for repo in [
79 'repo1.maven.org/maven2', # mavenCentral()
80 'jcenter.bintray.com', # jcenter()
82 'repo.maven.apache.org/maven2',
83 'oss.jfrog.org/artifactory/oss-snapshot-local',
84 'oss.sonatype.org/content/repositories/snapshots',
85 'oss.sonatype.org/content/repositories/releases',
86 'oss.sonatype.org/content/groups/public',
87 'clojars.org/repo', # Clojure free software libs
88 's3.amazonaws.com/repo.commonsware.com', # CommonsWare
89 'plugins.gradle.org/m2', # Gradle plugin repo
93 scanignore = common.getpaths_map(build_dir, build.scanignore)
94 scandelete = common.getpaths_map(build_dir, build.scandelete)
96 scanignore_worked = set()
97 scandelete_worked = set()
100 for k, paths in scanignore.items():
103 scanignore_worked.add(k)
108 for k, paths in scandelete.items():
111 scandelete_worked.add(k)
115 def ignoreproblem(what, fd):
116 logging.info('Ignoring %s at %s' % (what, fd))
119 def removeproblem(what, fd, fp):
120 logging.info('Removing %s at %s' % (what, fd))
124 def warnproblem(what, fd):
127 logging.warn('Found %s at %s' % (what, fd))
129 def handleproblem(what, fd, fp):
131 return ignoreproblem(what, fd)
133 return removeproblem(what, fd, fp)
134 logging.error('Found %s at %s' % (what, fd))
137 def is_executable(path):
138 return os.path.exists(path) and os.access(path, os.X_OK)
140 textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
144 with open(path, 'rb') as f:
146 return bool(d.translate(None, textchars))
148 # False positives patterns for files that are binary and executable.
149 safe_paths = [re.compile(r) for r in [
150 r".*/drawable[^/]*/.*\.png$", # png drawables
151 r".*/mipmap[^/]*/.*\.png$", # png mipmaps
156 for sp in safe_paths:
161 gradle_compile_commands = get_gradle_compile_commands(build)
163 def is_used_by_gradle(line):
164 return any(command.match(line) for command in gradle_compile_commands)
166 # Iterate through all files in the source code
167 for r, d, f in os.walk(build_dir, topdown=True):
169 # It's topdown, so checking the basename is enough
170 for ignoredir in ('.hg', '.git', '.svn', '.bzr'):
176 if curfile in ['.DS_Store']:
179 # Path (relative) to the file
180 fp = os.path.join(r, curfile)
182 if os.path.islink(fp):
185 fd = fp[len(build_dir) + 1:]
186 _, ext = common.get_extension(fd)
189 count += handleproblem('shared library', fd, fp)
191 count += handleproblem('static library', fd, fp)
193 count += handleproblem('Java compiled class', fd, fp)
195 removeproblem('APK file', fd, fp)
198 for name in suspects_found(curfile):
199 count += handleproblem('usual supect \'%s\'' % name, fd, fp)
200 warnproblem('JAR file', fd)
203 if not os.path.isfile(fp):
205 with open(fp, 'r', encoding='utf8', errors='replace') as f:
207 if 'DexClassLoader' in line:
208 count += handleproblem('DexClassLoader', fd, fp)
211 elif ext == 'gradle':
212 if not os.path.isfile(fp):
214 with open(fp, 'r', encoding='utf8', errors='replace') as f:
215 lines = f.readlines()
216 for i, line in enumerate(lines):
217 if is_used_by_gradle(line):
218 for name in suspects_found(line):
219 count += handleproblem('usual supect \'%s\' at line %d' % (name, i + 1), fd, fp)
220 noncomment_lines = [l for l in lines if not common.gradle_comment.match(l)]
221 joined = re.sub(r'[\n\r\s]+', ' ', ' '.join(noncomment_lines))
222 for m in gradle_mavenrepo.finditer(joined):
224 if not any(r.match(url) for r in allowed_repos):
225 count += handleproblem('unknown maven repo \'%s\'' % url, fd, fp)
227 elif ext in ['', 'bin', 'out', 'exe']:
229 count += handleproblem('binary', fd, fp)
231 elif is_executable(fp):
232 if is_binary(fp) and not safe_path(fd):
233 warnproblem('possible binary', fd)
236 if p not in scanignore_worked:
237 logging.error('Unused scanignore path: %s' % p)
241 if p not in scandelete_worked:
242 logging.error('Unused scandelete path: %s' % p)
250 global config, options
252 # Parse command line...
253 parser = ArgumentParser(usage="%(prog)s [options] [APPID[:VERCODE] [APPID[:VERCODE] ...]]")
254 common.setup_global_opts(parser)
255 parser.add_argument("appid", nargs='*', help="app-id with optional versionCode in the form APPID[:VERCODE]")
256 metadata.add_metadata_arguments(parser)
257 options = parser.parse_args()
258 metadata.warnings_action = options.W
260 config = common.read_config(options)
262 # Read all app and srclib metadata
263 allapps = metadata.read_metadata()
264 apps = common.read_app_args(options.appid, allapps, True)
269 if not os.path.isdir(build_dir):
270 logging.info("Creating build directory")
271 os.makedirs(build_dir)
272 srclib_dir = os.path.join(build_dir, 'srclib')
273 extlib_dir = os.path.join(build_dir, 'extlib')
275 for appid, app in apps.items():
278 logging.info("Skipping %s: disabled" % appid)
281 logging.info("Skipping %s: no builds specified" % appid)
284 logging.info("Processing " + appid)
288 if app.RepoType == 'srclib':
289 build_dir = os.path.join('build', 'srclib', app.Repo)
291 build_dir = os.path.join('build', appid)
293 # Set up vcs interface and make sure we have the latest code...
294 vcs = common.getvcs(app.RepoType, app.Repo, build_dir)
296 for build in app.builds:
299 logging.info("...skipping version %s - %s" % (
300 build.versionName, build.get('disable', build.commit[1:])))
302 logging.info("...scanning version " + build.versionName)
304 # Prepare the source code...
305 common.prepare_source(vcs, app, build,
306 build_dir, srclib_dir,
310 count = scan_source(build_dir, build)
312 logging.warn('Scanner found %d problems in %s (%s)' % (
313 count, appid, build.versionCode))
316 except BuildException as be:
317 logging.warn("Could not scan app %s due to BuildException: %s" % (
320 except VCSException as vcse:
321 logging.warn("VCS error while scanning app %s: %s" % (appid, vcse))
324 logging.warn("Could not scan app %s due to unknown error: %s" % (
325 appid, traceback.format_exc()))
328 logging.info("Finished:")
329 print("%d problems found" % probcount)
332 if __name__ == "__main__":