3 # scanner.py - part of the FDroid server tools
4 # Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
6 # This program is free software: you can redistribute it and/or modify
7 # it under the terms of the GNU Affero General Public License as published by
8 # the Free Software Foundation, either version 3 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU Affero General Public License for more details.
16 # You should have received a copy of the GNU Affero General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from argparse import ArgumentParser
27 from . import metadata
28 from .exception import BuildException, VCSException
34 def get_gradle_compile_commands(build):
35 compileCommands = ['compile', 'releaseCompile']
36 if build.gradle and build.gradle != ['yes']:
37 compileCommands += [flavor + 'Compile' for flavor in build.gradle]
38 compileCommands += [flavor + 'ReleaseCompile' for flavor in build.gradle]
40 return [re.compile(r'\s*' + c, re.IGNORECASE) for c in compileCommands]
43 def scan_source(build_dir, build):
44 """Scan the source code in the given directory (and all subdirectories)
45 and return the number of fatal problems encountered
50 # Common known non-free blobs (always lower case):
52 exp: re.compile(r'.*' + exp, re.IGNORECASE) for exp in [
56 r'admob.*sdk.*android',
59 r'google.*play.*services',
63 r'youtube.*android.*player.*api',
73 'firebase-jobdispatcher', # https://github.com/firebase/firebase-jobdispatcher-android/blob/master/LICENSE
74 'com.firebaseui', # https://github.com/firebase/FirebaseUI-Android/blob/master/LICENSE
75 'geofire-android' # https://github.com/firebase/geofire-java/blob/master/LICENSE
78 def is_whitelisted(s):
79 return any(wl in s for wl in whitelisted)
81 def suspects_found(s):
82 for n, r in usual_suspects.items():
83 if r.match(s) and not is_whitelisted(s):
86 gradle_mavenrepo = re.compile(r'maven *{ *(url)? *[\'"]?([^ \'"]*)[\'"]?')
88 allowed_repos = [re.compile(r'^https?://' + re.escape(repo) + r'/*') for repo in [
89 'repo1.maven.org/maven2', # mavenCentral()
90 'jcenter.bintray.com', # jcenter()
92 'repo.maven.apache.org/maven2',
93 'oss.jfrog.org/artifactory/oss-snapshot-local',
94 'oss.sonatype.org/content/repositories/snapshots',
95 'oss.sonatype.org/content/repositories/releases',
96 'oss.sonatype.org/content/groups/public',
97 'clojars.org/repo', # Clojure free software libs
98 's3.amazonaws.com/repo.commonsware.com', # CommonsWare
99 'plugins.gradle.org/m2', # Gradle plugin repo
100 'maven.google.com', # Google Maven Repo, https://developer.android.com/studio/build/dependencies.html#google-maven
104 scanignore = common.getpaths_map(build_dir, build.scanignore)
105 scandelete = common.getpaths_map(build_dir, build.scandelete)
107 scanignore_worked = set()
108 scandelete_worked = set()
110 def toignore(path_in_build_dir):
111 for k, paths in scanignore.items():
113 if path_in_build_dir.startswith(p):
114 scanignore_worked.add(k)
118 def todelete(path_in_build_dir):
119 for k, paths in scandelete.items():
121 if path_in_build_dir.startswith(p):
122 scandelete_worked.add(k)
126 def ignoreproblem(what, path_in_build_dir):
127 logging.info('Ignoring %s at %s' % (what, path_in_build_dir))
130 def removeproblem(what, path_in_build_dir, filepath):
131 logging.info('Removing %s at %s' % (what, path_in_build_dir))
135 def warnproblem(what, path_in_build_dir):
136 if toignore(path_in_build_dir):
138 logging.warn('Found %s at %s' % (what, path_in_build_dir))
140 def handleproblem(what, path_in_build_dir, filepath):
141 if toignore(path_in_build_dir):
142 return ignoreproblem(what, path_in_build_dir)
143 if todelete(path_in_build_dir):
144 return removeproblem(what, path_in_build_dir, filepath)
145 logging.error('Found %s at %s' % (what, path_in_build_dir))
148 def is_executable(path):
149 return os.path.exists(path) and os.access(path, os.X_OK)
151 textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
155 with open(path, 'rb') as f:
157 return bool(d.translate(None, textchars))
159 # False positives patterns for files that are binary and executable.
160 safe_paths = [re.compile(r) for r in [
161 r".*/drawable[^/]*/.*\.png$", # png drawables
162 r".*/mipmap[^/]*/.*\.png$", # png mipmaps
167 for sp in safe_paths:
172 gradle_compile_commands = get_gradle_compile_commands(build)
174 def is_used_by_gradle(line):
175 return any(command.match(line) for command in gradle_compile_commands)
177 # Iterate through all files in the source code
178 for root, dirs, files in os.walk(build_dir, topdown=True):
180 # It's topdown, so checking the basename is enough
181 for ignoredir in ('.hg', '.git', '.svn', '.bzr'):
182 if ignoredir in dirs:
183 dirs.remove(ignoredir)
185 for curfile in files:
187 if curfile in ['.DS_Store']:
190 # Path (relative) to the file
191 filepath = os.path.join(root, curfile)
193 if os.path.islink(filepath):
196 path_in_build_dir = os.path.relpath(filepath, build_dir)
197 _ignored, ext = common.get_extension(path_in_build_dir)
200 count += handleproblem('shared library', path_in_build_dir, filepath)
202 count += handleproblem('static library', path_in_build_dir, filepath)
204 count += handleproblem('Java compiled class', path_in_build_dir, filepath)
206 removeproblem('APK file', path_in_build_dir, filepath)
209 for name in suspects_found(curfile):
210 count += handleproblem('usual suspect \'%s\'' % name, path_in_build_dir, filepath)
211 if curfile == 'gradle-wrapper.jar':
212 removeproblem('gradle-wrapper.jar', path_in_build_dir, filepath)
214 warnproblem('JAR file', path_in_build_dir)
217 warnproblem('AAR file', path_in_build_dir)
220 if not os.path.isfile(filepath):
222 with open(filepath, 'r', encoding='utf8', errors='replace') as f:
224 if 'DexClassLoader' in line:
225 count += handleproblem('DexClassLoader', path_in_build_dir, filepath)
228 elif ext == 'gradle':
229 if not os.path.isfile(filepath):
231 with open(filepath, 'r', encoding='utf8', errors='replace') as f:
232 lines = f.readlines()
233 for i, line in enumerate(lines):
234 if is_used_by_gradle(line):
235 for name in suspects_found(line):
236 count += handleproblem('usual suspect \'%s\' at line %d' % (name, i + 1), path_in_build_dir, filepath)
237 noncomment_lines = [l for l in lines if not common.gradle_comment.match(l)]
238 joined = re.sub(r'[\n\r\s]+', ' ', ' '.join(noncomment_lines))
239 for m in gradle_mavenrepo.finditer(joined):
241 if not any(r.match(url) for r in allowed_repos):
242 count += handleproblem('unknown maven repo \'%s\'' % url, path_in_build_dir, filepath)
244 elif ext in ['', 'bin', 'out', 'exe']:
245 if is_binary(filepath):
246 count += handleproblem('binary', path_in_build_dir, filepath)
248 elif is_executable(filepath):
249 if is_binary(filepath) and not safe_path(path_in_build_dir):
250 warnproblem('possible binary', path_in_build_dir)
253 if p not in scanignore_worked:
254 logging.error('Unused scanignore path: %s' % p)
258 if p not in scandelete_worked:
259 logging.error('Unused scandelete path: %s' % p)
267 global config, options
269 # Parse command line...
270 parser = ArgumentParser(usage="%(prog)s [options] [APPID[:VERCODE] [APPID[:VERCODE] ...]]")
271 common.setup_global_opts(parser)
272 parser.add_argument("appid", nargs='*', help=_("applicationId with optional versionCode in the form APPID[:VERCODE]"))
273 metadata.add_metadata_arguments(parser)
274 options = parser.parse_args()
275 metadata.warnings_action = options.W
277 config = common.read_config(options)
279 # Read all app and srclib metadata
280 allapps = metadata.read_metadata()
281 apps = common.read_app_args(options.appid, allapps, True)
286 if not os.path.isdir(build_dir):
287 logging.info("Creating build directory")
288 os.makedirs(build_dir)
289 srclib_dir = os.path.join(build_dir, 'srclib')
290 extlib_dir = os.path.join(build_dir, 'extlib')
292 for appid, app in apps.items():
295 logging.info(_("Skipping {appid}: disabled").format(appid=appid))
298 logging.info(_("Skipping {appid}: no builds specified").format(appid=appid))
301 logging.info(_("Processing {appid}").format(appid=appid))
305 if app.RepoType == 'srclib':
306 build_dir = os.path.join('build', 'srclib', app.Repo)
308 build_dir = os.path.join('build', appid)
310 # Set up vcs interface and make sure we have the latest code...
311 vcs = common.getvcs(app.RepoType, app.Repo, build_dir)
313 for build in app.builds:
316 logging.info("...skipping version %s - %s" % (
317 build.versionName, build.get('disable', build.commit[1:])))
319 logging.info("...scanning version " + build.versionName)
321 # Prepare the source code...
322 common.prepare_source(vcs, app, build,
323 build_dir, srclib_dir,
327 count = scan_source(build_dir, build)
329 logging.warn('Scanner found %d problems in %s (%s)' % (
330 count, appid, build.versionCode))
333 except BuildException as be:
334 logging.warn("Could not scan app %s due to BuildException: %s" % (
337 except VCSException as vcse:
338 logging.warn("VCS error while scanning app %s: %s" % (appid, vcse))
341 logging.warn("Could not scan app %s due to unknown error: %s" % (
342 appid, traceback.format_exc()))
345 logging.info(_("Finished"))
346 print(_("%d problems found") % probcount)
349 if __name__ == "__main__":