Skip to content

Commit

Permalink
feat: 支持dependency-check离线扫描 #23
Browse files Browse the repository at this point in the history
  • Loading branch information
@cnlkl
cnlkl committed Mar 23, 2023
1 parent 674df95 commit 28b879f
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 19 deletions.
15 changes: 15 additions & 0 deletions dependency-check/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,18 @@
---

最后在蓝鲸制品库Admin中配置`Standard`类型的扫描器,启动命令设置为`/bkrepo-dependency-check`

### 离线扫描

在无法访问外网的环境,可以在制品库Admin中为扫描器增加下面的参数

1. boolean类型参数`offline`设置为true
2. string类型参数`dbUrl`设置为漏洞库的下载链接

#### 漏洞库创建

在dependency-check镜像中执行`/usr/share/dependency-check/bin/dependency-check.sh --updateonly`后,
`/usr/share/dependency-check/data`路径下的`odc.mv.db``publishedSuppressions.xml``jsrepository.json`打包成tar.gz
上传到执行扫描的环境可访问的位置即可


2 changes: 1 addition & 1 deletion dependency-check/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ module github.com/TencentBlueKing/ci-repoAnalysis/dependency-check

go 1.18

require github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12
require github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13
4 changes: 2 additions & 2 deletions dependency-check/go.sum
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12 h1:Pb8Y0QqLJ2Z0ZI4oN7hdh3yXROdIOD6ZXTwuIB+IOZ8=
github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12/go.mod h1:8fgb+y0YWqULX/oVg4dsWAq6ftsVZfFrXQjCKXwAE1Q=
github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13 h1:6I/b2mCflzjYoHFgQZsNWh9pMLOipaO/p3SpmR8wL0g=
github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13/go.mod h1:8fgb+y0YWqULX/oVg4dsWAq6ftsVZfFrXQjCKXwAE1Q=
9 changes: 9 additions & 0 deletions dependency-check/pkg/constant.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,12 @@ package pkg

// CMDDependencyCheck 命令
const CMDDependencyCheck = "/usr/share/dependency-check/bin/dependency-check.sh"

// DirDependencyCheckData 漏洞库存放目录
const DirDependencyCheckData = "/usr/share/dependency-check/data"

// ConfigOffline 是否使用离线模式
const ConfigOffline = "offline"

// ConfigDbUrl 漏洞库下载地址
const ConfigDbUrl = "dbUrl"
40 changes: 24 additions & 16 deletions dependency-check/pkg/scan_executor.go
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,40 @@
package pkg

import (
"bytes"
"encoding/json"
"errors"
"github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang/object"
"github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang/util"
"os"
"os/exec"
)

// DependencyCheckExecutor DependencyCheck分析器
type DependencyCheckExecutor struct{}

// Execute 执行分析
func (e DependencyCheckExecutor) Execute(config *object.ToolConfig, file *os.File) (*object.ToolOutput, error) {
reportFile, err := doExecute(file.Name())
offline, err := config.GetBoolArg(ConfigOffline)
if err != nil {
return nil, err
}

// 下载漏洞库
dbUrl := config.GetStringArg(ConfigDbUrl)
if len(dbUrl) > 0 {
if err := util.ExtractTarUrl(dbUrl, DirDependencyCheckData, 0555); err != nil {
return nil, err
}
}

// 执行扫描
reportFile, err := doExecute(file.Name(), offline)
if err != nil {
return nil, err
}
return transform(reportFile)
}

// doExecute 执行扫描,扫描成功后返回报告路径
func doExecute(inputFile string) (string, error) {
func doExecute(inputFile string, offline bool) (string, error) {
// dependency-check.sh --scan /src --format JSON --out /report

const reportFile = "/report"
Expand All @@ -33,19 +44,16 @@ func doExecute(inputFile string) (string, error) {
"--out", reportFile,
}

cmd := exec.Command(CMDDependencyCheck, args...)
util.Info(cmd.String())
if offline {
args = append(
args, "--noupdate",
"--disableYarnAudit", "--disablePnpmAudit", "--disableNodeAudit", "--disableOssIndex", "--disableCentral")
}

var out bytes.Buffer
var stderr bytes.Buffer
cmd.Stdout = &out
cmd.Stderr = &stderr
err := cmd.Run()
if err != nil {
return "", errors.New("error: " + err.Error() + "\n" + stderr.String())
if err := util.ExecAndLog(CMDDependencyCheck, args); err != nil {
return "", err
}
util.Info(out.String())
util.Info(stderr.String())

return reportFile + "/dependency-check-report.json", nil
}

Expand Down

0 comments on commit 28b879f

Please sign in to comment.