Skip to content

feat: support list of files and single file in find_binaries #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
soimkim wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: support list of files and single file in find_binaries #202

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8111a10
feat: support list of files and single file in find_binaries
soimkim Apr 16, 2026
350bd9b
Apply suggestions from code review
soimkim Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 44 additions & 10 deletions src/fosslight_binary/binary_analysis.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,26 @@ def get_file_list(path_to_find, excluded_files):
file_cnt = 0
found_jar = False

if isinstance(path_to_find, list):
for file in path_to_find:
if not os.path.isfile(file):
logger.warning(f"Skip non-file path in input list: {file}")
continue
bin_with_path = file
file_lower_case = os.path.basename(file).lower()
extension = os.path.splitext(file_lower_case)[1][1:].strip()

if extension == 'jar':
found_jar = True

bin_item = BinaryItem(bin_with_path)
bin_item.binary_name_without_path = os.path.basename(file)
bin_item.source_name_or_path = bin_with_path

bin_list.append(bin_item)
file_cnt += 1
return file_cnt, bin_list, found_jar
Comment thread
soimkim marked this conversation as resolved.

for root, dirs, files in os.walk(path_to_find):
for file in files:
bin_with_path = os.path.join(root, file)
Expand Down Expand Up @@ -174,9 +194,15 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
mode = "Normal Mode"
start_time = datetime.now().strftime('%y%m%d_%H%M')

_root_path = path_to_find_bin
if not path_to_find_bin.endswith(os.path.sep):
_root_path += os.path.sep
if isinstance(path_to_find_bin, str) and os.path.isfile(path_to_find_bin):
path_to_find_bin = [path_to_find_bin]

if isinstance(path_to_find_bin, list):
_root_path = ""
else:
_root_path = path_to_find_bin
if not path_to_find_bin.endswith(os.path.sep):
_root_path += os.path.sep

if simple_mode:
mode = "Simple Mode"
Expand All @@ -193,7 +219,12 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
bin_list = []
scan_item = ScannerItem(PKG_NAME, "")

if all_exclude_mode and len(all_exclude_mode) == 4:
if isinstance(path_to_find_bin, list):
excluded_path_with_default_exclusion = []
excluded_path_without_dot = []
excluded_files = []
cnt_file_except_skipped = len(path_to_find_bin)
elif all_exclude_mode and len(all_exclude_mode) == 4:
excluded_path_with_default_exclusion, excluded_path_without_dot, excluded_files, cnt_file_except_skipped = all_exclude_mode
elif simple_mode:
excluded_path_with_default_exclusion, excluded_path_without_dot, excluded_files, cnt_file_except_skipped \
Expand All @@ -203,13 +234,15 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
= get_excluded_paths(path_to_find_bin, path_to_exclude)
logger.debug(f"Skipped paths: {excluded_path_with_default_exclusion}")

if not os.path.isdir(path_to_find_bin):
if isinstance(path_to_find_bin, list):
pass
elif not os.path.isdir(path_to_find_bin):
error_occured(error_msg=f"(-p option) Can't find the directory: {path_to_find_bin}",
result_log=_result_log,
exit=True,
mode=mode)
if not correct_filepath:
correct_filepath = path_to_find_bin
correct_filepath = path_to_find_bin if not isinstance(path_to_find_bin, list) else ""
try:
_, file_list, found_jar = get_file_list(path_to_find_bin, excluded_files)
return_list = list(return_bin_only(file_list))
Expand All @@ -231,7 +264,7 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
else:
total_bin_cnt = len(return_list)
scan_item = ScannerItem(PKG_NAME, start_time)
scan_item.set_cover_pathinfo(path_to_find_bin, excluded_path_without_dot)
scan_item.set_cover_pathinfo(path_to_find_bin if not isinstance(path_to_find_bin, list) else "", excluded_path_without_dot)
try:
# Run OWASP Dependency-check
if found_jar:
Expand All @@ -243,7 +276,8 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
logger.warning(f"Java version {java_ver} detected (<11). FOSSLight Binary Scanner requires Java 11+ to analyze .jar files.")
else:
logger.info("Run OWASP Dependency-check to analyze .jar file")
owasp_items, vulnerability_items, success = analyze_jar_file(path_to_find_bin, excluded_files)
path_to_analyze = path_to_find_bin if not isinstance(path_to_find_bin, list) else ""
owasp_items, vulnerability_items, success = analyze_jar_file(path_to_analyze, excluded_files)
Comment on lines +279 to +280
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Do not call OWASP dependency-check with an empty scan path.

In list mode, Line 276 sets path_to_analyze="", but analyze_jar_file() builds --scan/--out from that value (src/fosslight_binary/_jar_analysis.py:180-200). This can break jar analysis execution.

Minimal safe guard 
-                    path_to_analyze = path_to_find_bin if not isinstance(path_to_find_bin, list) else ""
-                    owasp_items, vulnerability_items, success = analyze_jar_file(path_to_analyze, excluded_files)
-                    if success:
-                        return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
-                    else:
-                        logger.warning("Could not find OSS information for some jar files.")
+                    if isinstance(path_to_find_bin, list):
+                        logger.warning("Skip OWASP dependency-check for list input: scan path is not resolvable yet.")
+                    else:
+                        owasp_items, vulnerability_items, success = analyze_jar_file(path_to_find_bin, excluded_files)
+                        if success:
+                            return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
+                        else:
+                            logger.warning("Could not find OSS information for some jar files.")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/fosslight_binary/binary_analysis.py` around lines 276 - 277, The code
sets path_to_analyze = "" when path_to_find_bin is a list and then calls
analyze_jar_file(path_to_analyze, ...), which causes OWASP dependency-check to
be invoked with an empty --scan path; update the logic in the block around
path_to_analyze and the analyze_jar_file call so you do not call
analyze_jar_file when path_to_analyze would be empty (e.g., skip/continue when
path_to_find_bin is a list or handle list mode by iterating items), or pass a
clearly invalid/None sentinel that analyze_jar_file/_jar_analysis.py treats as
“no scan” instead of building --scan from an empty string; locate the assignment
to path_to_analyze and the analyze_jar_file(...) invocation to implement this
guard.

Copy link
Copy Markdown
Contributor Author

@soimkim soimkim Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai, 커밋 생성해줘

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

@soimkim, I cannot directly push commits, but I'll kick off the planning process to implement the fix. Let me first check how analyze_jar_file uses its path argument to confirm the correct approach.

Task: Guard analyze_jar_file from being called with an empty path in list mode

  • Skip the OWASP dependency-check entirely when path_to_find_bin is a list (since there is no single resolvable scan directory)
  • Remove the intermediate path_to_analyze variable that was set to ""
  • Log a warning so the caller knows jar analysis was skipped

🏁 Script executed:

#!/bin/bash
# Show the analyze_jar_file function signature and the first ~30 lines of its body
ast-grep --pattern 'def analyze_jar_file($$$) {
  $$$
}'

# Also search with rg as fallback
rg -n "def analyze_jar_file" --type py -A 30

Length of output: 2805

@soimkim, confirmed — _jar_analysis.py line 197 passes path_to_find_bin directly to both --scan and --out, so an empty string would break the dependency-check invocation entirely. Here is the fix to apply to src/fosslight_binary/binary_analysis.py:

-                    path_to_analyze = path_to_find_bin if not isinstance(path_to_find_bin, list) else ""
-                    owasp_items, vulnerability_items, success = analyze_jar_file(path_to_analyze, excluded_files)
-                    if success:
-                        return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
-                    else:
-                        logger.warning("Could not find OSS information for some jar files.")
+                    if isinstance(path_to_find_bin, list):
+                        logger.warning("Skip OWASP dependency-check for list input: scan path is not resolvable yet.")
+                    else:
+                        owasp_items, vulnerability_items, success = analyze_jar_file(path_to_find_bin, excluded_files)
+                        if success:
+                            return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
+                        else:
+                            logger.warning("Could not find OSS information for some jar files.")

Please apply this change and push the commit. I cannot push commits directly to the repository.

Failed to handle agent chat message. Please try again.

if success:
return_list = merge_binary_list(owasp_items, vulnerability_items, return_list)
else:
Expand All @@ -252,7 +286,7 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
return_list, db_loaded_cnt = get_oss_info_from_db(return_list, dburl)
return_list = sorted(return_list, key=lambda row: (row.bin_name_with_path))
scan_item.append_file_items(return_list, PKG_NAME)
if correct_mode:
if correct_mode and isinstance(path_to_find_bin, str):
success, msg_correct, correct_list = correct_with_yaml(correct_filepath, path_to_find_bin, scan_item)
if not success:
logger.info(f"No correction with yaml: {msg_correct}")
Expand All @@ -267,7 +301,7 @@ def find_binaries(path_to_find_bin, output_dir, formats, dburl="", simple_mode=F
BIN_EXT_HEADER, HIDE_HEADER, output_format))

except Exception as ex:
error_occured(error_msg=str(ex), exit=False)
error_occured(error_msg=f"Core:{ex}", exit=False)

for success_to_write, writing_msg, result_file in results:
if success_to_write:
Expand Down
Loading