Fix nil dereference issue regarding Applicability Scan results

[eranturgeman]

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• Updated the Contributing page / ReadMe page / CI Workflow files if needed.
• All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

---

[attiasas]

LGTM

[github-actions]

📗 Scan Summary

• Frogbot scanned for vulnerabilities and found 1 issues

Scan Category	Status	Security Issues
Software Composition Analysis	✅ Done	Not Found
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	1 Issues Found 1 Low
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

---

🐸 JFrog Frogbot

[github-actions]

os.ReadFile(strings.TrimSpace(path))

at sca/bom/buildinfo/technologies/java/deptreemanager.go (line 109)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Untrusted stored input used in file paths, allowing access to unintended files.

Full description

Vulnerability Details

Rule ID:	go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}

Code Flows

Vulnerable data flow analysis result

↘️ os.ReadFile(outputFilePath) (at sca/bom/buildinfo/technologies/java/gradle.go line 187)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/gradle.go line 187)

↘️ `func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFileContent []byte, err error) {

gradleExecPath, err := build.GetGradleExecPath(gdt.useWrapper)
if err != nil {
	err = errorutils.CheckError(err)
	return
}
outputFilePath := filepath.Join(depTreeDir, gradleDepTreeOutputFile)
tasks := []string{
	"clean",
	"generateDepTrees", "-I", filepath.Join(depTreeDir, gradleDepTreeInitFile),
	"-q",
	gradleNoCacheFlag,
	fmt.Sprintf("-Dcom.jfrog.depsTreeOutputFile=%s", outputFilePath),
	"-Dcom.jfrog.includeAllBuildFiles=true",
	fmt.Sprintf("-Dcom.jfrog.includeIncludedBuilds=%t", gdt.useIncludedBuilds)}

// Add curation audit mode for pass-through functionality if this is a curation command
if gdt.isCurationCmd {
	tasks = append(tasks, "-Dcom.jfrog.curationAuditMode=true")
}

if output, err := buildGradleExecCommand(gradleExecPath, gdt.useWrapper, tasks).CombinedOutput(); err != nil {
	return nil, errorutils.CheckErrorf("error running gradle-dep-tree: %s\n%s", err.Error(), string(output))
}
defer func() {
	err = errors.Join(err, errorutils.CheckError(os.Remove(outputFilePath)))
}()
outputFileContent, err = os.ReadFile(outputFilePath)
err = errorutils.CheckError(err)
return

}` (at sca/bom/buildinfo/technologies/java/gradle.go line 159)

↘️ (outputFileContent []byte, err error) (at sca/bom/buildinfo/technologies/java/gradle.go line 159)

↘️ gdt.execGradleDepTree(depTreeDir) (at sca/bom/buildinfo/technologies/java/gradle.go line 96)

↘️ output (at sca/bom/buildinfo/technologies/java/gradle.go line 96)

↘️ output (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ string(output) (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ return string(output), nil (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ (string, error) (at sca/bom/buildinfo/technologies/java/gradle.go line 79)

↘️ manager.runGradleDepTree() (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 57)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 57)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 59)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 56)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 57)

↘️ jsonFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 95)

↘️ jsonFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ strings.TrimSpace(jsonFilePaths) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ strings.Split(strings.TrimSpace(jsonFilePaths), "\n") (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 98)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 98)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 99)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 108)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

↘️ strings.TrimSpace(path) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

↘️ os.ReadFile(strings.TrimSpace(path)) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

---

🐸 JFrog Frogbot