BlackDuck: Support import in plaintext or bytes

[Maffooch]

I found that while doing some importing using python request, black duck zip files had to be imported with rb mode in the files parameter:

[("file", open(file_path, "rb"))]

However, when attempting to process CSV files in this way, I would constantly get an exception for two reasons:

• The temporary_file function does not work well with bytes
• Following the check if a file is zipped, the file pointer is not reset, so there are no bytes to read, which lead to a None type exception

To mitigate this, we need to support byte imports are a first class citizen. I checked the other black duck parsers as well to get them up to speed

[dryrunsecurity]

This pull request contains a potential uncontrolled resource consumption vulnerability in the zipfile.ZipFile constructor where exception handling could be improved to better protect against malformed zip files or potential zip bombs, though the current implementation is not considered blocking.

Uncontrolled Resource Consumption in dojo/tools/blackduck_component_risk/importer.py

Vulnerability

Uncontrolled Resource Consumption

Description

The zipfile.ZipFile constructor is called without being wrapped in a try...except block that specifically handles zipfile.BadZipFile or other exceptions related to malformed zip files. While zipfile.is_zipfile() is checked prior to this call, this function only performs a superficial check and does not guarantee the file's integrity or protect against 'zip bombs' or other maliciously crafted archives that could cause resource exhaustion or unhandled exceptions when the ZipFile object is instantiated.

django-DefectDojo/dojo/tools/blackduck_component_risk/importer.py

Lines 42 to 48 in 9d87dc9

	components = {}
	source = {}
	try:
	with zipfile.ZipFile(report) as zipf:
	c_file = False
	s_file = False
	for full_file_name in zipf.namelist():

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

Approved