From 28b879f89f2b4e285674353d2824b4a531fe2d45 Mon Sep 17 00:00:00 2001 From: kunlongli Date: Thu, 23 Mar 2023 17:48:23 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81dependency-check?= =?UTF-8?q?=E7=A6=BB=E7=BA=BF=E6=89=AB=E6=8F=8F=20#23?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dependency-check/README.md | 15 ++++++++++ dependency-check/go.mod | 2 +- dependency-check/go.sum | 4 +-- dependency-check/pkg/constant.go | 9 ++++++ dependency-check/pkg/scan_executor.go | 40 ++++++++++++++++----------- 5 files changed, 51 insertions(+), 19 deletions(-) diff --git a/dependency-check/README.md b/dependency-check/README.md index 9606acf..9362788 100644 --- a/dependency-check/README.md +++ b/dependency-check/README.md @@ -18,3 +18,18 @@ --- 最后在蓝鲸制品库Admin中配置`Standard`类型的扫描器,启动命令设置为`/bkrepo-dependency-check` + +### 离线扫描 + +在无法访问外网的环境,可以在制品库Admin中为扫描器增加下面的参数 + +1. boolean类型参数`offline`设置为true +2. string类型参数`dbUrl`设置为漏洞库的下载链接 + +#### 漏洞库创建 + +在dependency-check镜像中执行`/usr/share/dependency-check/bin/dependency-check.sh --updateonly`后, +将`/usr/share/dependency-check/data`路径下的`odc.mv.db`、`publishedSuppressions.xml`、`jsrepository.json`打包成tar.gz +上传到执行扫描的环境可访问的位置即可 + + diff --git a/dependency-check/go.mod b/dependency-check/go.mod index 1eb827f..4dcfa8d 100644 --- a/dependency-check/go.mod +++ b/dependency-check/go.mod @@ -2,4 +2,4 @@ module github.com/TencentBlueKing/ci-repoAnalysis/dependency-check go 1.18 -require github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12 +require github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13 diff --git a/dependency-check/go.sum b/dependency-check/go.sum index c4b84d7..1635a35 100644 --- a/dependency-check/go.sum +++ b/dependency-check/go.sum @@ -1,2 +1,2 @@ -github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12 h1:Pb8Y0QqLJ2Z0ZI4oN7hdh3yXROdIOD6ZXTwuIB+IOZ8= -github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.12/go.mod h1:8fgb+y0YWqULX/oVg4dsWAq6ftsVZfFrXQjCKXwAE1Q= +github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13 h1:6I/b2mCflzjYoHFgQZsNWh9pMLOipaO/p3SpmR8wL0g= +github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang v0.0.13/go.mod h1:8fgb+y0YWqULX/oVg4dsWAq6ftsVZfFrXQjCKXwAE1Q= diff --git a/dependency-check/pkg/constant.go b/dependency-check/pkg/constant.go index 00cf19f..8be9427 100644 --- a/dependency-check/pkg/constant.go +++ b/dependency-check/pkg/constant.go @@ -2,3 +2,12 @@ package pkg // CMDDependencyCheck 命令 const CMDDependencyCheck = "/usr/share/dependency-check/bin/dependency-check.sh" + +// DirDependencyCheckData 漏洞库存放目录 +const DirDependencyCheckData = "/usr/share/dependency-check/data" + +// ConfigOffline 是否使用离线模式 +const ConfigOffline = "offline" + +// ConfigDbUrl 漏洞库下载地址 +const ConfigDbUrl = "dbUrl" diff --git a/dependency-check/pkg/scan_executor.go b/dependency-check/pkg/scan_executor.go index b00dd3a..d135c51 100644 --- a/dependency-check/pkg/scan_executor.go +++ b/dependency-check/pkg/scan_executor.go @@ -1,13 +1,10 @@ package pkg import ( - "bytes" "encoding/json" - "errors" "github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang/object" "github.com/TencentBlueKing/ci-repoAnalysis/analysis-tool-sdk-golang/util" "os" - "os/exec" ) // DependencyCheckExecutor DependencyCheck分析器 @@ -15,7 +12,21 @@ type DependencyCheckExecutor struct{} // Execute 执行分析 func (e DependencyCheckExecutor) Execute(config *object.ToolConfig, file *os.File) (*object.ToolOutput, error) { - reportFile, err := doExecute(file.Name()) + offline, err := config.GetBoolArg(ConfigOffline) + if err != nil { + return nil, err + } + + // 下载漏洞库 + dbUrl := config.GetStringArg(ConfigDbUrl) + if len(dbUrl) > 0 { + if err := util.ExtractTarUrl(dbUrl, DirDependencyCheckData, 0555); err != nil { + return nil, err + } + } + + // 执行扫描 + reportFile, err := doExecute(file.Name(), offline) if err != nil { return nil, err } @@ -23,7 +34,7 @@ func (e DependencyCheckExecutor) Execute(config *object.ToolConfig, file *os.Fil } // doExecute 执行扫描,扫描成功后返回报告路径 -func doExecute(inputFile string) (string, error) { +func doExecute(inputFile string, offline bool) (string, error) { // dependency-check.sh --scan /src --format JSON --out /report const reportFile = "/report" @@ -33,19 +44,16 @@ func doExecute(inputFile string) (string, error) { "--out", reportFile, } - cmd := exec.Command(CMDDependencyCheck, args...) - util.Info(cmd.String()) + if offline { + args = append( + args, "--noupdate", + "--disableYarnAudit", "--disablePnpmAudit", "--disableNodeAudit", "--disableOssIndex", "--disableCentral") + } - var out bytes.Buffer - var stderr bytes.Buffer - cmd.Stdout = &out - cmd.Stderr = &stderr - err := cmd.Run() - if err != nil { - return "", errors.New("error: " + err.Error() + "\n" + stderr.String()) + if err := util.ExecAndLog(CMDDependencyCheck, args); err != nil { + return "", err } - util.Info(out.String()) - util.Info(stderr.String()) + return reportFile + "/dependency-check-report.json", nil }