lets detect spring4shell

.github/workflows/github_release.yml

@@ -0,0 +1,28 @@
+name: github release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,11 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
+
+*.iml
+.idea/

.goreleaser.yml

@@ -0,0 +1,63 @@
+project_name: spring4shell-detect
+
+release:
+  prerelease: auto
+  name_template: "{{.ProjectName}}-v{{.Version}}"
+
+  github:
+    owner: whitesource
+    name: spring4shell-detect
+
+before:
+  hooks:
+    - go mod tidy
+
+checksum:
+  algorithm: sha256
+  # Disable the generation/upload of the checksum file.
+  disable: false
+
+builds:
+  - <<: &build_defaults
+      binary: spring4shell-detect
+      main: ./main.go
+
+    id: linux
+    goos: [ linux ]
+    goarch: [ amd64, arm64 ]
+
+  - <<: *build_defaults
+    id: windows
+    goos: [ windows ]
+    goarch: [ amd64, arm64 ]
+
+  - <<: *build_defaults
+    id: macos
+    goos: [ darwin ]
+    goarch: [ amd64, arm64 ]
+
+
+archives:
+  - <<: &archive_defaults
+      name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
+      wrap_in_directory: "false"
+      files:
+        - none*
+    id: unix
+    builds: [ linux, macos ]
+    format: tar.gz
+
+  - <<: *archive_defaults
+    id: windows
+    builds: [ windows ]
+    format: zip
+
+nfpms:
+  - maintainer: WhiteSource
+    vendor: WhiteSource
+    homepage: https://github.com/whitesource/spring4shell-distribution
+    description: Tool for discovering "spring4shell" exploit
+    bindir: /usr/bin
+    formats:
+      - deb
+      - rpm

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 nabeel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,95 @@
+# Spring4Shell Detect
+
+WhiteSource spring4shell Detect is a free CLI tool that quickly scans your projects to find vulnerable Spring4shell versions
+containing the following known CVEs:
+
+* CVE-2022-22963
+* CVE-2022-22965
+
+It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.
+
+The supported packages managers are:
+
+* gradle
+* maven
+* bundler
+
+In addition, the tool will search for vulnerable files with the `.jar`,`.gem` extensions.
+
+### Prerequisites:
+
+* Download the spring4shell-detect binary based on your OS platform (see installation steps below)
+
+---
+**NOTE**
+
+1. For mac users, if the following message appears:
+   "spring4shell-detect can't be opened because Apple cannot check it for malicious software", please follow the steps
+   [described here](https://support.apple.com/en-il/guide/mac-help/mchleab3a043/mac)
+
+
+2. The relevant binaries must be installed for the scan to work, i.e:
+    * `gradle` if the scanned project is a gradle project (contains a `settings.gradle` or a `build.gradle` file)
+    * `mvn` if the scanned project is a maven project (contains a `pom.xml` file)
+    * `ruby`/`jruby` and `gem`/`jgem` if the scanned project is a bundler project (contains a `Gemfile.lock`/`gems.locked` file)
+
+
+3. Building the projects before scanning will improve scan time and reduce potential scan errors
+
+    * maven projects __must__ be built prior to scanning, e.g. with the following command:
+       ```shell
+       mvn install
+       ```
+
+    * bundler projects __must__ be built prior to scanning, e.g. with the following command:
+       ```shell
+       jbundler install
+       ```
+
+    * It is not necessary to run `gradle build` prior to scanning a `gradle` project, but that will greatly decrease the
+      scan time
+
+---
+
+## Usage
+
+In order to scan your project, simply run the following command:
+
+```shell
+spring4shell-detect scan -d PROJECT_DIR
+```
+
+The folder can include source code that uses supported package managers in the project, as well binaries with the
+supported extensions mentioned above.
+It may error if it's run in a location which has protected folders it cannot access, such as Windows system folders.
+
+## Installation
+
+### Linux
+
+```shell
+ARCH=amd64 # or ARCH=arm64
+wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-linux-$ARCH.tar.gz"
+tar -xzvf spring4shell-detect-1.0.0-linux-$ARCH.tar.gz
+chmod +x spring4shell-detect
+./spring4shell-detect -h
+```
+
+### Mac
+
+```shell
+ARCH=amd64 # or ARCH=arm64 
+wget "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz"
+tar -xzvf spring4shell-detect-1.0.0-darwin-$ARCH.tar.gz
+chmod +x spring4shell-detect
+./spring4shell-detect -h
+```
+
+### Windows
+
+```powershell
+Invoke-WebRequest -Uri "https://github.com/whitesource/spring4shell-detect/releases/latest/download/spring4shell-detect-1.0.0-windows-amd64.zip" -OutFile "spring4shell-detect.zip"
+Expand-Archive -LiteralPath 'spring4shell-detect.zip'
+cd spring4shell-detect
+.\spring4shell-detect.exe -h
+```

cmd/clioptions/options.go

@@ -0,0 +1,25 @@
+package clioptions
+
+import (
+	"io"
+	"os"
+)
+
+// IOStreams provides the standard names for iostreams.
+type IOStreams struct {
+	// In think, os.Stdin
+	In io.Reader
+	// Out think, os.Stdout
+	Out io.Writer
+	// ErrOut think, os.Stderr
+	ErrOut io.Writer
+}
+
+// StandardIOStreams returns an IOStreams from os.Stdin, os.Stdout
+func StandardIOStreams() IOStreams {
+	return IOStreams{
+		In:     os.Stdin,
+		Out:    os.Stdout,
+		ErrOut: os.Stderr,
+	}
+}

cmd/clioptions/settings/fs.go

@@ -0,0 +1,33 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/spring4shell-detect/fs"
+	"github.com/whitesource/spring4shell-detect/operations"
+	fsop "github.com/whitesource/spring4shell-detect/operations/fs"
+	rc "github.com/whitesource/spring4shell-detect/records"
+	fsscreen "github.com/whitesource/spring4shell-detect/screening/fs"
+	"github.com/whitesource/spring4shell-detect/utils/exec"
+)
+
+type FilesystemResolver struct {
+	Disabled bool
+}
+
+func (r FilesystemResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OFS: fsscreen.Query()}
+}
+
+func (r FilesystemResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OFS: fsop.NewSurgeon(logger, commander),
+	}
+}

cmd/clioptions/settings/gradle.go

@@ -0,0 +1,38 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/spring4shell-detect/fs"
+	"github.com/whitesource/spring4shell-detect/operations"
+	gradleS "github.com/whitesource/spring4shell-detect/operations/gradle"
+	rc "github.com/whitesource/spring4shell-detect/records"
+	gradleQ "github.com/whitesource/spring4shell-detect/screening/gradle"
+	"github.com/whitesource/spring4shell-detect/utils/exec"
+)
+
+type GradleResolver struct {
+	Disabled       bool
+	AdditionalArgs []string
+	Configurations struct {
+		Include []string
+		Exclude []string
+	}
+}
+
+func (r GradleResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OGradle: gradleQ.Query()}
+}
+
+func (r GradleResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OGradle: gradleS.NewSurgeon(logger, commander, r.AdditionalArgs, r.Configurations.Include, r.Configurations.Exclude),
+	}
+}

cmd/clioptions/settings/maven.go

@@ -0,0 +1,38 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/spring4shell-detect/fs"
+	"github.com/whitesource/spring4shell-detect/operations"
+	mavenS "github.com/whitesource/spring4shell-detect/operations/maven"
+	rc "github.com/whitesource/spring4shell-detect/records"
+	mavenQ "github.com/whitesource/spring4shell-detect/screening/maven"
+	"github.com/whitesource/spring4shell-detect/utils/exec"
+)
+
+type MavenResolver struct {
+	Disabled       bool
+	AdditionalArgs []string
+	Scopes         struct {
+		Include []string
+		Exclude []string
+	}
+}
+
+func (r MavenResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.OMaven: mavenQ.Query()}
+}
+
+func (r MavenResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.OMaven: mavenS.NewSurgeon(logger, commander, r.AdditionalArgs, r.Scopes.Include, r.Scopes.Exclude),
+	}
+}

cmd/clioptions/settings/ruby.go

@@ -0,0 +1,33 @@
+package settings
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/whitesource/spring4shell-detect/fs"
+	"github.com/whitesource/spring4shell-detect/operations"
+	rubyS "github.com/whitesource/spring4shell-detect/operations/ruby"
+	rc "github.com/whitesource/spring4shell-detect/records"
+	rubyQ "github.com/whitesource/spring4shell-detect/screening/ruby"
+	"github.com/whitesource/spring4shell-detect/utils/exec"
+)
+
+type RubyResolver struct {
+	Disabled bool
+}
+
+func (r RubyResolver) Queries() map[rc.Organ]*fs.Query {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]*fs.Query{rc.ORuby: rubyQ.Query()}
+}
+
+func (r RubyResolver) Surgeons(logger logr.Logger, commander exec.Commander) map[rc.Organ]operations.Surgeon {
+	if r.Disabled {
+		return nil
+	}
+
+	return map[rc.Organ]operations.Surgeon{
+		rc.ORuby: rubyS.NewSurgeon(logger, commander),
+	}
+}