github.com/google/osv-scalibr@v0.4.1/annotator/cachedir/cachedir.go

github.com/google/osv-scalibr@v0.4.1/annotator/cachedir/cachedir.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package cachedir implements an annotator for packages that are in cache directories.
    16  package cachedir
    17  
    18  import (
    19  	"context"
    20  	"path/filepath"
    21  	"regexp"
    22  	"slices"
    23  
    24  	"github.com/google/osv-scalibr/annotator"
    25  	"github.com/google/osv-scalibr/inventory"
    26  	"github.com/google/osv-scalibr/inventory/vex"
    27  	"github.com/google/osv-scalibr/plugin"
    28  )
    29  
    30  const (
    31  	// Name of the Annotator.
    32  	Name = "vex/cachedir"
    33  )
    34  
    35  // patterns to match cache directories
    36  var cacheDirPatterns = []*regexp.Regexp{
    37  	// Linux/Unix-like systems
    38  	regexp.MustCompile(`^/?tmp/`),
    39  	regexp.MustCompile(`^/?home/[^/]+/\.local/share/Trash/`),
    40  	regexp.MustCompile(`^/?home/[^/]+/\.cache/`),
    41  	regexp.MustCompile(`^/?root/\.cache/`),
    42  	regexp.MustCompile(`^/?var/cache/`),
    43  
    44  	// macOS
    45  	regexp.MustCompile(`^/?private/tmp/`),
    46  	regexp.MustCompile(`^/?System/Volumes/Data/private/var/tmp/`),
    47  	regexp.MustCompile(`^/?System/Volumes/Data/private/tmp/`),
    48  	regexp.MustCompile(`^/?Users/[^/]+/Library/Caches/`),
    49  
    50  	// Windows
    51  	regexp.MustCompile(`(C:/)?Users/[^/]+/AppData/Local/Temp/`),
    52  	regexp.MustCompile(`(C:/)?Windows/Temp/`),
    53  }
    54  
    55  // Annotator adds annotations to packages that are in cache directories.
    56  type Annotator struct{}
    57  
    58  // New returns a new Annotator.
    59  func New() annotator.Annotator { return &Annotator{} }
    60  
    61  // Name of the annotator.
    62  func (Annotator) Name() string { return Name }
    63  
    64  // Version of the annotator.
    65  func (Annotator) Version() int { return 0 }
    66  
    67  // Requirements of the annotator.
    68  func (Annotator) Requirements() *plugin.Capabilities { return &plugin.Capabilities{} }
    69  
    70  // Annotate adds annotations to packages that are in cache directories.
    71  func (Annotator) Annotate(ctx context.Context, input *annotator.ScanInput, results *inventory.Inventory) error {
    72  	for _, pkg := range results.Packages {
    73  		if ctx.Err() != nil {
    74  			return ctx.Err()
    75  		}
    76  		if slices.ContainsFunc(pkg.Locations, isInsideCacheDir) {
    77  			pkg.ExploitabilitySignals = append(pkg.ExploitabilitySignals, &vex.PackageExploitabilitySignal{
    78  				Plugin:          Name,
    79  				Justification:   vex.ComponentNotPresent,
    80  				MatchesAllVulns: true,
    81  			})
    82  		}
    83  	}
    84  	return nil
    85  }
    86  
    87  func isInsideCacheDir(path string) bool {
    88  	path = filepath.ToSlash(path)
    89  
    90  	// Check if the absolute path matches any of the known cache directory patterns
    91  	for _, r := range cacheDirPatterns {
    92  		if r.MatchString(path) {
    93  			return true
    94  		}
    95  	}
    96  	return false
    97  }