Feat/static code analysis

chart/Chart.yaml

@@ -5,7 +5,7 @@ description: A Gradle Build Cache server with Redis backend for EduIDE deploymen
 type: application
 
 # Bump this version on every release — also used as the Docker image tag
-version: 0.5.2
+version: 0.5.3
 
 dependencies:
   - name: reposilite

chart/templates/configmap.yaml

@@ -38,4 +38,11 @@ data:
     logging:
       level: "info"
       format: "json"
+
+    static_analysis:
+      enabled: {{ .Values.staticAnalysis.enabled }}
+      check_network: {{ .Values.staticAnalysis.checkNetwork }}
+      check_exec: {{ .Values.staticAnalysis.checkExec }}
+      check_reflection: {{ .Values.staticAnalysis.checkReflection }}
+      check_filesystem: {{ .Values.staticAnalysis.checkFilesystem }}
 {{- end }}

chart/values.yaml

@@ -33,6 +33,16 @@ tls:
   # Kubernetes secret name containing tls.crt and tls.key
   secretName: ""
 
+# ============================================================
+# Static Code Analysis (Java JARs)
+# ============================================================
+staticAnalysis:
+  enabled: false
+  checkNetwork: false
+  checkExec: false
+  checkReflection: false
+  checkFilesystem: false
+
 # ============================================================
 # Gateway API (HTTPRoutes only)
 # ============================================================

src/configs/config.yaml

@@ -25,3 +25,10 @@ metrics:
 logging:
   level: "info"
   format: "json"
+
+static_analysis:
+  enabled: false
+  check_network: false
+  check_exec: false
+  check_reflection: false
+  check_filesystem: false

src/internal/analysis/analyzer.go

@@ -0,0 +1,189 @@
+package analysis
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/kevingruber/gradle-cache/internal/config"
+)
+
+// Violation describes a single forbidden API reference found in a class file.
+type Violation struct {
+	Class    string `json:"class"`    // e.g. "com/student/Homework"
+	Matched  string `json:"matched"`  // e.g. "java/net/Socket"
+	Category string `json:"category"` // e.g. "network"
+}
+
+// Analyzer inspects Java bytecode for forbidden API usage.
+type Analyzer struct {
+	rules []rule
+}
+
+type rule struct {
+	category string
+	patterns []string
+}
+
+// New creates an Analyzer whose active rules are determined by cfg.
+func New(cfg config.StaticAnalysisConfig) *Analyzer {
+	a := &Analyzer{}
+	if cfg.CheckNetwork {
+		a.rules = append(a.rules, rule{"network", networkPatterns})
+	}
+	if cfg.CheckExec {
+		a.rules = append(a.rules, rule{"exec", execPatterns})
+	}
+	if cfg.CheckReflection {
+		a.rules = append(a.rules, rule{"reflection", reflectionPatterns})
+	}
+	if cfg.CheckFilesystem {
+		a.rules = append(a.rules, rule{"filesystem", filesystemPatterns})
+	}
+	return a
+}
+
+// Check inspects data for forbidden API usage.
+// Gradle cache entries are gzip-compressed tar archives — those are handled first.
+// Plain ZIP/JAR files are also supported.
+// Any other format is passed through silently (returns nil, nil).
+func (a *Analyzer) Check(data []byte) ([]Violation, error) {
+	switch {
+	case isGzip(data):
+		return a.checkGzipTar(data)
+	case isZIP(data):
+		seen := make(map[string]struct{})
+		return a.checkZIP(data, seen)
+	default:
+		return nil, nil
+	}
+}
+
+// checkGzipTar decompresses a gzip stream and scans the tar entries inside.
+// .class files are scanned directly; .jar files inside the tar are opened as
+// ZIPs and their .class files scanned one level deep.
+func (a *Analyzer) checkGzipTar(data []byte) ([]Violation, error) {
+	gr, err := gzip.NewReader(bytes.NewReader(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open gzip stream: %w", err)
+	}
+	defer gr.Close()
+
+	tr := tar.NewReader(gr)
+	seen := make(map[string]struct{})
+	var violations []Violation
+
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("failed to read tar entry: %w", err)
+		}
+
+		entryData, err := io.ReadAll(tr)
+		if err != nil {
+			continue
+		}
+
+		switch {
+		case strings.HasSuffix(hdr.Name, ".class"):
+			// Direct class file — common for compileJava task output.
+			className := strings.TrimSuffix(hdr.Name, ".class")
+			v := a.scanClassBytes(className, entryData, seen)
+			violations = append(violations, v...)
+
+		case strings.HasSuffix(hdr.Name, ".jar"):
+			// JAR inside the tar — common for the jar task output.
+			v, err := a.checkZIP(entryData, seen)
+			if err != nil {
+				continue
+			}
+			violations = append(violations, v...)
+		}
+	}
+
+	return violations, nil
+}
+
+// checkZIP opens data as a ZIP archive and scans every .class file inside.
+func (a *Analyzer) checkZIP(data []byte, seen map[string]struct{}) ([]Violation, error) {
+	zr, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open ZIP: %w", err)
+	}
+
+	var violations []Violation
+
+	for _, f := range zr.File {
+		if !strings.HasSuffix(f.Name, ".class") {
+			continue
+		}
+
+		rc, err := f.Open()
+		if err != nil {
+			continue
+		}
+		classData, err := io.ReadAll(rc)
+		rc.Close()
+		if err != nil {
+			continue
+		}
+
+		className := strings.TrimSuffix(f.Name, ".class")
+		v := a.scanClassBytes(className, classData, seen)
+		violations = append(violations, v...)
+	}
+
+	return violations, nil
+}
+
+// scanClassBytes parses a single .class file and returns any violations.
+// seen deduplicates across multiple calls (shared within one Check invocation).
+func (a *Analyzer) scanClassBytes(className string, data []byte, seen map[string]struct{}) []Violation {
+	poolStrings, err := extractConstantPoolStrings(data)
+	if err != nil {
+		return nil
+	}
+
+	var violations []Violation
+
+	for _, s := range poolStrings {
+		for _, r := range a.rules {
+			for _, pattern := range r.patterns {
+				if !strings.HasPrefix(s, pattern) {
+					continue
+				}
+				key := className + "|" + s + "|" + r.category
+				if _, dup := seen[key]; dup {
+					continue
+				}
+				seen[key] = struct{}{}
+				violations = append(violations, Violation{
+					Class:    className,
+					Matched:  s,
+					Category: r.category,
+				})
+			}
+		}
+	}
+
+	return violations
+}
+
+// isGzip returns true when data begins with the gzip magic bytes.
+func isGzip(data []byte) bool {
+	return len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b
+}
+
+// isZIP returns true when data begins with the ZIP local file header signature.
+func isZIP(data []byte) bool {
+	return len(data) >= 4 &&
+		data[0] == 0x50 && data[1] == 0x4B &&
+		data[2] == 0x03 && data[3] == 0x04
+}

src/internal/analysis/classfile.go

@@ -0,0 +1,77 @@
+package analysis
+
+import (
+	"encoding/binary"
+	"fmt"
+)
+
+// extractConstantPoolStrings parses a Java class file and returns every UTF-8
+// string from its constant pool. Class names, method names, field names, and
+// type descriptors all appear there verbatim, so scanning these strings is
+// sufficient to detect forbidden API references without executing any code.
+func extractConstantPoolStrings(data []byte) ([]string, error) {
+	if len(data) < 10 {
+		return nil, fmt.Errorf("class file too short (%d bytes)", len(data))
+	}
+
+	// Validate magic bytes: 0xCAFEBABE
+	if data[0] != 0xCA || data[1] != 0xFE || data[2] != 0xBA || data[3] != 0xBE {
+		return nil, fmt.Errorf("missing class file magic bytes")
+	}
+
+	// Skip magic (4) + minor_version (2) + major_version (2)
+	pos := 8
+
+	if pos+2 > len(data) {
+		return nil, fmt.Errorf("truncated before constant_pool_count")
+	}
+	cpCount := int(binary.BigEndian.Uint16(data[pos : pos+2]))
+	pos += 2
+
+	var result []string
+
+	// Pool indices run from 1 to cpCount-1.
+	for i := 1; i < cpCount; i++ {
+		if pos >= len(data) {
+			return nil, fmt.Errorf("unexpected end of constant pool at entry %d", i)
+		}
+
+		tag := data[pos]
+		pos++
+
+		switch tag {
+		case 1: // CONSTANT_Utf8 — variable length string
+			if pos+2 > len(data) {
+				return nil, fmt.Errorf("truncated Utf8 length at entry %d", i)
+			}
+			length := int(binary.BigEndian.Uint16(data[pos : pos+2]))
+			pos += 2
+			if pos+length > len(data) {
+				return nil, fmt.Errorf("truncated Utf8 data at entry %d", i)
+			}
+			result = append(result, string(data[pos:pos+length]))
+			pos += length
+
+		case 3, 4: // CONSTANT_Integer, CONSTANT_Float
+			pos += 4
+
+		case 5, 6: // CONSTANT_Long, CONSTANT_Double — consume two pool slots
+			pos += 8
+			i++
+
+		case 7, 8, 16, 19, 20: // Class, String, MethodType, Module, Package
+			pos += 2
+
+		case 9, 10, 11, 12, 17, 18: // Fieldref, Methodref, InterfaceMethodref, NameAndType, Dynamic, InvokeDynamic
+			pos += 4
+
+		case 15: // CONSTANT_MethodHandle
+			pos += 3
+
+		default:
+			return nil, fmt.Errorf("unknown constant pool tag %d at entry %d", tag, i)
+		}
+	}
+
+	return result, nil
+}

src/internal/analysis/patterns.go

@@ -0,0 +1,48 @@
+package analysis
+
+// Forbidden API prefix lists, grouped by category.
+// HasPrefix matching is used so e.g. "java/net/Socket" also covers
+// SocketInputStream, SocketOutputStream, etc. A trailing slash like "sun/net/"
+// catches the entire package subtree.
+
+var networkPatterns = []string{
+	"java/net/Socket",
+	"java/net/ServerSocket",
+	"java/net/DatagramSocket",
+	"java/net/MulticastSocket",
+	"java/net/URL",
+	"java/net/HttpURLConnection",
+	"java/net/InetAddress",
+	"java/net/InetSocketAddress",
+	"java/net/URLConnection",
+	"java/nio/channels/SocketChannel",
+	"java/nio/channels/ServerSocketChannel",
+	"java/nio/channels/DatagramChannel",
+	"sun/net/",
+}
+
+var execPatterns = []string{
+	"java/lang/Runtime",
+	"java/lang/ProcessBuilder",
+	"java/lang/Process",
+}
+
+var reflectionPatterns = []string{
+	"java/lang/reflect/Method",
+	"java/lang/reflect/Field",
+	"java/lang/reflect/Constructor",
+	"java/lang/ClassLoader",
+	"java/lang/invoke/MethodHandle",
+	"sun/misc/Unsafe",
+}
+
+var filesystemPatterns = []string{
+	"java/io/FileOutputStream",
+	"java/io/FileInputStream",
+	"java/io/FileWriter",
+	"java/io/FileReader",
+	"java/io/RandomAccessFile",
+	"java/nio/file/Files",
+	"java/nio/file/Path",
+	"java/nio/channels/FileChannel",
+}