3 # scanner.py - part of the FDroid server tools
4 # Copyright (C) 2010-13, Ciaran Gultnieks, ciaran@ciarang.com
6 # This program is free software: you can redistribute it and/or modify
7 # it under the terms of the GNU Affero General Public License as published by
8 # the Free Software Foundation, either version 3 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU Affero General Public License for more details.
16 # You should have received a copy of the GNU Affero General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from argparse import ArgumentParser
27 from . import metadata
28 from .exception import BuildException, VCSException
34 def get_gradle_compile_commands(build):
35 compileCommands = ['compile',
45 'releaseImplementation'
49 if build.gradle and build.gradle != ['yes']:
50 compileCommands += [flavor + 'Compile' for flavor in build.gradle]
51 compileCommands += [flavor + 'ReleaseCompile' for flavor in build.gradle]
53 return [re.compile(r'\s*' + c, re.IGNORECASE) for c in compileCommands]
56 def scan_source(build_dir, build=metadata.Build()):
57 """Scan the source code in the given directory (and all subdirectories)
58 and return the number of fatal problems encountered
63 # Common known non-free blobs (always lower case):
65 exp: re.compile(r'.*' + exp, re.IGNORECASE) for exp in [
69 r'admob.*sdk.*android',
72 r'google.*play.*services',
76 r'youtube.*android.*player.*api',
86 'firebase-jobdispatcher', # https://github.com/firebase/firebase-jobdispatcher-android/blob/master/LICENSE
87 'com.firebaseui', # https://github.com/firebase/FirebaseUI-Android/blob/master/LICENSE
88 'geofire-android' # https://github.com/firebase/geofire-java/blob/master/LICENSE
91 def is_whitelisted(s):
92 return any(wl in s for wl in whitelisted)
94 def suspects_found(s):
95 for n, r in usual_suspects.items():
96 if r.match(s) and not is_whitelisted(s):
99 gradle_mavenrepo = re.compile(r'maven *{ *(url)? *[\'"]?([^ \'"]*)[\'"]?')
101 allowed_repos = [re.compile(r'^https?://' + re.escape(repo) + r'/*') for repo in [
102 'repo1.maven.org/maven2', # mavenCentral()
103 'jcenter.bintray.com', # jcenter()
105 'repo.maven.apache.org/maven2',
106 'oss.jfrog.org/artifactory/oss-snapshot-local',
107 'oss.sonatype.org/content/repositories/snapshots',
108 'oss.sonatype.org/content/repositories/releases',
109 'oss.sonatype.org/content/groups/public',
110 'clojars.org/repo', # Clojure free software libs
111 's3.amazonaws.com/repo.commonsware.com', # CommonsWare
112 'plugins.gradle.org/m2', # Gradle plugin repo
113 'maven.google.com', # Google Maven Repo, https://developer.android.com/studio/build/dependencies.html#google-maven
117 scanignore = common.getpaths_map(build_dir, build.scanignore)
118 scandelete = common.getpaths_map(build_dir, build.scandelete)
120 scanignore_worked = set()
121 scandelete_worked = set()
123 def toignore(path_in_build_dir):
124 for k, paths in scanignore.items():
126 if path_in_build_dir.startswith(p):
127 scanignore_worked.add(k)
131 def todelete(path_in_build_dir):
132 for k, paths in scandelete.items():
134 if path_in_build_dir.startswith(p):
135 scandelete_worked.add(k)
139 def ignoreproblem(what, path_in_build_dir):
140 logging.info('Ignoring %s at %s' % (what, path_in_build_dir))
143 def removeproblem(what, path_in_build_dir, filepath):
144 logging.info('Removing %s at %s' % (what, path_in_build_dir))
148 def warnproblem(what, path_in_build_dir):
149 if toignore(path_in_build_dir):
151 logging.warn('Found %s at %s' % (what, path_in_build_dir))
153 def handleproblem(what, path_in_build_dir, filepath):
154 if toignore(path_in_build_dir):
155 return ignoreproblem(what, path_in_build_dir)
156 if todelete(path_in_build_dir):
157 return removeproblem(what, path_in_build_dir, filepath)
158 logging.error('Found %s at %s' % (what, path_in_build_dir))
161 def is_executable(path):
162 return os.path.exists(path) and os.access(path, os.X_OK)
164 textchars = bytearray({7, 8, 9, 10, 12, 13, 27} | set(range(0x20, 0x100)) - {0x7f})
168 with open(path, 'rb') as f:
170 return bool(d.translate(None, textchars))
172 # False positives patterns for files that are binary and executable.
173 safe_paths = [re.compile(r) for r in [
174 r".*/drawable[^/]*/.*\.png$", # png drawables
175 r".*/mipmap[^/]*/.*\.png$", # png mipmaps
180 for sp in safe_paths:
185 gradle_compile_commands = get_gradle_compile_commands(build)
187 def is_used_by_gradle(line):
188 return any(command.match(line) for command in gradle_compile_commands)
190 # Iterate through all files in the source code
191 for root, dirs, files in os.walk(build_dir, topdown=True):
193 # It's topdown, so checking the basename is enough
194 for ignoredir in ('.hg', '.git', '.svn', '.bzr'):
195 if ignoredir in dirs:
196 dirs.remove(ignoredir)
198 for curfile in files:
200 if curfile in ['.DS_Store']:
203 # Path (relative) to the file
204 filepath = os.path.join(root, curfile)
206 if os.path.islink(filepath):
209 path_in_build_dir = os.path.relpath(filepath, build_dir)
210 _ignored, ext = common.get_extension(path_in_build_dir)
213 count += handleproblem('shared library', path_in_build_dir, filepath)
215 count += handleproblem('static library', path_in_build_dir, filepath)
217 count += handleproblem('Java compiled class', path_in_build_dir, filepath)
219 removeproblem('APK file', path_in_build_dir, filepath)
222 for name in suspects_found(curfile):
223 count += handleproblem('usual suspect \'%s\'' % name, path_in_build_dir, filepath)
224 if curfile == 'gradle-wrapper.jar':
225 removeproblem('gradle-wrapper.jar', path_in_build_dir, filepath)
227 warnproblem('JAR file', path_in_build_dir)
230 warnproblem('AAR file', path_in_build_dir)
233 if not os.path.isfile(filepath):
235 with open(filepath, 'r', encoding='utf8', errors='replace') as f:
237 if 'DexClassLoader' in line:
238 count += handleproblem('DexClassLoader', path_in_build_dir, filepath)
241 elif ext == 'gradle':
242 if not os.path.isfile(filepath):
244 with open(filepath, 'r', encoding='utf8', errors='replace') as f:
245 lines = f.readlines()
246 for i, line in enumerate(lines):
247 if is_used_by_gradle(line):
248 for name in suspects_found(line):
249 count += handleproblem('usual suspect \'%s\' at line %d' % (name, i + 1), path_in_build_dir, filepath)
250 noncomment_lines = [l for l in lines if not common.gradle_comment.match(l)]
251 joined = re.sub(r'[\n\r\s]+', ' ', ' '.join(noncomment_lines))
252 for m in gradle_mavenrepo.finditer(joined):
254 if not any(r.match(url) for r in allowed_repos):
255 count += handleproblem('unknown maven repo \'%s\'' % url, path_in_build_dir, filepath)
257 elif ext in ['', 'bin', 'out', 'exe']:
258 if is_binary(filepath):
259 count += handleproblem('binary', path_in_build_dir, filepath)
261 elif is_executable(filepath):
262 if is_binary(filepath) and not safe_path(path_in_build_dir):
263 warnproblem('possible binary', path_in_build_dir)
266 if p not in scanignore_worked:
267 logging.error('Unused scanignore path: %s' % p)
271 if p not in scandelete_worked:
272 logging.error('Unused scandelete path: %s' % p)
280 global config, options
282 # Parse command line...
283 parser = ArgumentParser(usage="%(prog)s [options] [APPID[:VERCODE] [APPID[:VERCODE] ...]]")
284 common.setup_global_opts(parser)
285 parser.add_argument("appid", nargs='*', help=_("applicationId with optional versionCode in the form APPID[:VERCODE]"))
286 metadata.add_metadata_arguments(parser)
287 options = parser.parse_args()
288 metadata.warnings_action = options.W
290 config = common.read_config(options)
292 # Read all app and srclib metadata
293 allapps = metadata.read_metadata()
294 apps = common.read_app_args(options.appid, allapps, True)
299 if not os.path.isdir(build_dir):
300 logging.info("Creating build directory")
301 os.makedirs(build_dir)
302 srclib_dir = os.path.join(build_dir, 'srclib')
303 extlib_dir = os.path.join(build_dir, 'extlib')
305 for appid, app in apps.items():
308 logging.info(_("Skipping {appid}: disabled").format(appid=appid))
312 if app.RepoType == 'srclib':
313 build_dir = os.path.join('build', 'srclib', app.Repo)
315 build_dir = os.path.join('build', appid)
318 logging.info(_("Processing {appid}").format(appid=appid))
320 logging.info(_("{appid}: no builds specified, running on current source state")
321 .format(appid=appid))
322 count = scan_source(build_dir)
324 logging.warn(_('Scanner found {count} problems in {appid}:')
325 .format(count=count, appid=appid))
329 # Set up vcs interface and make sure we have the latest code...
330 vcs = common.getvcs(app.RepoType, app.Repo, build_dir)
332 for build in app.builds:
335 logging.info("...skipping version %s - %s" % (
336 build.versionName, build.get('disable', build.commit[1:])))
339 logging.info("...scanning version " + build.versionName)
340 # Prepare the source code...
341 common.prepare_source(vcs, app, build,
342 build_dir, srclib_dir,
345 count = scan_source(build_dir, build)
347 logging.warn(_('Scanner found {count} problems in {appid}:{versionCode}:')
348 .format(count=count, appid=appid, versionCode=build.versionCode))
351 except BuildException as be:
352 logging.warn("Could not scan app %s due to BuildException: %s" % (
355 except VCSException as vcse:
356 logging.warn("VCS error while scanning app %s: %s" % (appid, vcse))
359 logging.warn("Could not scan app %s due to unknown error: %s" % (
360 appid, traceback.format_exc()))
363 logging.info(_("Finished"))
364 print(_("%d problems found") % probcount)
367 if __name__ == "__main__":