Not print vulnerability info. for jar analysis

.gitignore

@@ -0,0 +1,20 @@
+# Environment variables (contains secrets)
+.env
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.eggs/
+
+# Test & coverage
+.tox/
+.coverage
+htmlcov/
+.pytest_cache/
+
+# fosslight output
+fosslight_log_*.txt
+fosslight_report_*.xlsx

.reuse/dep5

@@ -58,14 +58,14 @@ Files: .bumpversion.cfg
 Copyright: 2021 LG Electronics
 License: Apache-2.0
 
-Files: src/fosslight_binary/third_party/*
-Copyright: 2013 Jeremy Long
-License: Apache-2.0
-
 Files: cli.spec
 Copyright: 2025 LG Electronics
 License: Apache-2.0
 
 Files: .coderabbit.yaml
 Copyright: 2026 LG Electronics
 License: Apache-2.0
+
+Files: .gitignore
+Copyright: 2026 LG Electronics
+License: Apache-2.0

cli.spec

@@ -6,10 +6,6 @@ a = Analysis(
     pathex=['src'],  # source package path for fosslight_binary
     binaries=[],
     datas=[
-        ('src/fosslight_binary/third_party/dependency-check/bin', 'third_party/dependency-check/bin'),
-        ('src/fosslight_binary/third_party/dependency-check/lib', 'third_party/dependency-check/lib'),
-        ('src/fosslight_binary/third_party/dependency-check/licenses', 'third_party/dependency-check/licenses'),
-        ('src/fosslight_binary/third_party/dependency-check', 'third_party/dependency-check'),
         ('LICENSES', 'LICENSES'),
         ('LICENSE', 'LICENSES'),
     ],

pyproject.toml

@@ -27,6 +27,7 @@ requires-python = ">=3.10,<3.15"
 dependencies = [
     "binaryornot==0.4.4",
     "chardet<5.0.0",
+    "defusedxml",
     "numpy",
     "pandas",
     "parmap",
@@ -58,10 +59,4 @@ package-dir = {"" = "src"}
 where = ["src"]
 
 [tool.setuptools.package-data]
-fosslight_binary = [
-    "third_party/dependency-check/bin/*",
-    "third_party/dependency-check/lib/*",
-    "third_party/dependency-check/licenses/*",
-    "third_party/dependency-check/*.txt",
-    "third_party/dependency-check/*.md",
-]
+fosslight_binary = []

src/fosslight_binary/__init__.py

@@ -2,78 +2,3 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2025 LG Electronics Inc.
 # SPDX-License-Identifier: Apache-2.0
-import logging
-import os
-import subprocess
-import sys
-
-logger = logging.getLogger(__name__)
-
-# Static path always used; environment overrides are ignored now.
-_PKG_DIR = os.path.dirname(__file__)
-_DC_HOME = os.path.join(_PKG_DIR, 'third_party', 'dependency-check')
-
-# Fallback: project root layout (editable install) or current working directory
-if not os.path.isdir(_DC_HOME):
-    _PROJECT_ROOT = os.path.abspath(os.path.join(_PKG_DIR, '..', '..'))
-    candidate = os.path.join(_PROJECT_ROOT, 'third_party', 'dependency-check')
-    if os.path.isdir(candidate):
-        _DC_HOME = candidate
-    else:
-        cwd_candidate = os.path.join(os.getcwd(), 'third_party', 'dependency-check')
-        if os.path.isdir(cwd_candidate):
-            _DC_HOME = cwd_candidate
-if not os.path.isdir(_DC_HOME) and getattr(sys, 'frozen', False):
-    # Frozen executable scenario (PyInstaller onefile): check exe dir and _MEIPASS temp dir.
-    exe_dir = os.path.dirname(os.path.abspath(sys.executable))
-    exe_candidate = os.path.join(exe_dir, 'third_party', 'dependency-check')
-    if os.path.isdir(exe_candidate):
-        _DC_HOME = exe_candidate
-    else:
-        tmp_root = getattr(sys, '_MEIPASS', '')
-        if tmp_root:
-            tmp_candidate = os.path.join(tmp_root, 'third_party', 'dependency-check')
-            if os.path.isdir(tmp_candidate):
-                _DC_HOME = tmp_candidate
-
-
-def get_dependency_check_script():
-    """Return path to static dependency-check CLI script or None if missing."""
-    bin_dir = os.path.join(_DC_HOME, 'bin')
-    if sys.platform.startswith('win'):
-        script = os.path.join(bin_dir, 'dependency-check.bat')
-    else:
-        script = os.path.join(bin_dir, 'dependency-check.sh')
-    return script if os.path.isfile(script) else None
-
-
-def _set_version_env(script_path):
-    """Attempt to run '--version' to populate DEPENDENCY_CHECK_VERSION; ignore errors."""
-    if not script_path or not os.path.exists(script_path):
-        return
-    try:
-        result = subprocess.run([script_path, '--version'], capture_output=True, text=True, timeout=8)
-        if result.returncode == 0:
-            version_line = (result.stdout or '').strip().splitlines()[-1]
-            if version_line:
-                os.environ['DEPENDENCY_CHECK_VERSION'] = version_line
-    except Exception as ex:
-        logger.debug(f"Could not obtain dependency-check version: {ex}")
-
-
-def _init_static_dependency_check():
-    if not os.path.isdir(_DC_HOME):
-        logger.info("Dependency-check not found under third_party/dependency-check.")
-        return
-    os.environ['DEPENDENCY_CHECK_HOME'] = _DC_HOME
-    script = get_dependency_check_script()
-    _set_version_env(script)
-    logger.debug(f"dependency-check home set to: {_DC_HOME}")
-
-
-# Perform lightweight initialization (no network, no extraction)
-_init_static_dependency_check()
-
-__all__ = [
-    'get_dependency_check_script'
-]

src/fosslight_binary/_binary.py

@@ -2,41 +2,26 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2020 LG Electronics Inc.
 # SPDX-License-Identifier: Apache-2.0
-import urllib.parse
 import logging
 import fosslight_util.constant as constant
 from fosslight_util.oss_item import FileItem
 
 EXCLUDE_TRUE_VALUE = "Exclude"
 TLSH_CHECKSUM_NULL = "0"
-MAX_EXCEL_URL_LENGTH = 255
-EXCEEDED_VUL_URL_LENGTH_COMMENT = f"Exceeded the maximum vulnerability URL length of {MAX_EXCEL_URL_LENGTH} characters."
 
 logger = logging.getLogger(constant.LOGGER_NAME)
 
 
-class VulnerabilityItem:
-    file_path = ""
-    vul_id = ""
-    nvd_url = ""
-
-    def __init__(self, file_path, id, url):
-        self.file_path = file_path
-        self.vul_id = id
-        self.nvd_url = url
-
-
 class BinaryItem(FileItem):
     def __init__(self, value):
         super().__init__("")
         self.exclude = False
         self.source_name_or_path = ""
         self.tlsh = TLSH_CHECKSUM_NULL
-        self.vulnerability_items = []
         self.binary_name_without_path = ""
         self.bin_name_with_path = value
         self.is_binary = True
-        self.found_in_owasp = False
+        self.found_in_jar_analysis = False
         self.found_in_bin_db = False  # for debugging
 
     def __del__(self):
@@ -50,29 +35,20 @@ def set_oss_items(self, new_oss_list, exclude=False, exclude_msg=""):
         # Append New input OSS
         self.oss_items.extend(new_oss_list)
 
-    def get_vulnerability_items(self, oss):
-        nvd_url = set([urllib.parse.unquote(vul_item.nvd_url) for vul_item in self.vulnerability_items])
-        nvd_url = ", ".join(nvd_url).strip()
-
-        if nvd_url and len(nvd_url) > MAX_EXCEL_URL_LENGTH:
-            oss.comment = EXCEEDED_VUL_URL_LENGTH_COMMENT
-        return nvd_url
-
     def get_print_array(self):
         items = []
         if self.oss_items:
             for oss in self.oss_items:
                 lic = ",".join(oss.license)
                 exclude = EXCLUDE_TRUE_VALUE if (self.exclude or oss.exclude) else ""
-                nvd_url = self.get_vulnerability_items(oss)
                 items.append([self.source_name_or_path, oss.name, oss.version,
                               lic, oss.download_location, oss.homepage,
                               oss.copyright, exclude, oss.comment,
-                              nvd_url, self.tlsh, self.checksum])
+                              self.tlsh, self.checksum])
         else:
             exclude = EXCLUDE_TRUE_VALUE if self.exclude else ""
             items.append([self.source_name_or_path, '',
-                          '', '', '', '', '', exclude, self.comment, '',
+                          '', '', '', '', '', exclude, self.comment,
                           self.tlsh, self.checksum])
         return items
 

src/fosslight_binary/_binary_dao.py

@@ -55,11 +55,11 @@ def get_oss_info_from_db(bin_info_list, dburl=""):
                 if df_result is not None and len(df_result) > 0:
                     _cnt_auto_identified += 1
                     # Initialize the saved contents at .jar analyzing only once
-                    if not item.found_in_owasp and item.oss_items:
+                    if not item.found_in_jar_analysis and item.oss_items:
                         item.oss_items = []
 
                     for idx, row in df_result.iterrows():
-                        if not item.found_in_owasp:
+                        if not item.found_in_jar_analysis:
                             oss_from_db = OssItem(row['ossname'], row['ossversion'], row['license'])
 
                             if bin_oss_items: