From 21117b77d228458b4d3b003c4af19a2ac236b784 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Daniel=20Mart=C3=AD?= <mvdan@mvdan.cc>
Date: Wed, 7 Oct 2015 18:14:11 +0200
Subject: [PATCH] scanner: error on unknown maven repos

This finds maven repos of the format:

	maven {
		url 'http://foo.bar'
	}

And checks if the repository is one that we allow. As usual, scanignore can be
used, or the list modified, if there are exceptions or more repositories to
allow.
---
 fdroidserver/scanner.py | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/fdroidserver/scanner.py b/fdroidserver/scanner.py
index 7a7e5d2b..5587bd4b 100644
--- a/fdroidserver/scanner.py
+++ b/fdroidserver/scanner.py
@@ -72,6 +72,17 @@ def scan_source(build_dir, root_dir, thisbuild):
             if r.match(s):
                 yield n
 
+    gradle_mavenrepo = re.compile(r'maven *{ *(url)? *[\'"]?([^ \'"]*)[\'"]?')
+
+    allowed_repos = [re.compile(r'^https?://' + repo + '/*') for repo in [
+        r'repo1.maven.org/maven2',  # mavenCentral()
+        r'jcenter.bintray.com',     # jcenter()
+        r'jitpack.io',
+        r'oss.sonatype.org/content/repositories/snapshots',
+        r'oss.sonatype.org/content/repositories/releases',
+        ]
+    ]
+
     scanignore = common.getpaths_map(build_dir, thisbuild['scanignore'])
     scandelete = common.getpaths_map(build_dir, thisbuild['scandelete'])
 
@@ -174,11 +185,17 @@ def scan_source(build_dir, root_dir, thisbuild):
             elif ext == 'gradle':
                 if not os.path.isfile(fp):
                     continue
-                for i, line in enumerate(file(fp)):
-                    i = i + 1
+                with open(fp, 'r') as f:
+                    lines = f.readlines()
+                for i, line in enumerate(lines):
                     if is_used_by_gradle(line):
                         for name in suspects_found(line):
-                            count += handleproblem('usual supect \'%s\' at line %d' % (name, i), fd, fp)
+                            count += handleproblem('usual supect \'%s\' at line %d' % (name, i+1), fd, fp)
+                joined = re.sub(r'[\n\r\s]+', ' ', ' '.join(lines))
+                for m in gradle_mavenrepo.finditer(joined):
+                    url = m.group(2)
+                    if not any(r.match(url) for r in allowed_repos):
+                        count += handleproblem('unknown maven repo \'%s\'' % url, fd, fp)
 
             elif ext in ['', 'bin', 'out', 'exe']:
                 if is_binary(fp):
-- 
2.30.2