diff --git a/.goreleaser.yml b/.goreleaser.yml
index 69fa2f80a8612fa0ec2c71f7898dfd38242f220d..8b246b092f87062f7deb8e5ad3367d429fb69c15 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,33 +1,35 @@
-{
- "project_name": "opensca-cli",
- "builds":
- [
- {
- "env": ["CGO_ENABLED=0"],
- "goos": ["linux", "windows", "darwin"],
- "goarch": [386, "amd64", "arm", "arm64"],
- "goarm": [6, 7],
- "id": "opensca-cli",
- "dir": ".",
- "binary": "opensca-cli",
- "main": "./cli/",
- },
- ],
- "archives":
- [
- {
- "replacements":
- {
- "386": "i386",
- "darwin": "Darwin",
- "linux": "Linux",
- "windows": "Windows",
- "amd64": "x86_64",
- },
- "files": ["LICENSE", "config.json", "README.md"],
- "format": "zip",
- },
- ],
- "checksum": { "name_template": "checksums.txt" },
- "snapshot": { "name_template": "{{.Tag}}" },
-}
+project_name: opensca-cli
+builds:
+ - env:
+ - CGO_ENABLED=0
+ goos:
+ - linux
+ - windows
+ - darwin
+ goarch:
+ - 386
+ - amd64
+ - arm
+ - arm64
+ goarm:
+ - 6
+ - 7
+ id: opensca-cli
+ dir: .
+ binary: opensca-cli
+ main: ./cli/
+archives:
+ - name_template: >-
+ {{.ProjectName}}_{{.Tag}}_{{- title .Os}}_
+ {{- if eq .Arch "amd64" }}x86_64
+ {{- else if eq .Arch "386" }}i386
+ {{- else}}{{.Arch}}{{.Arm}}{{end}}
+ files:
+ - LICENSE
+ - config.json
+ - README.md
+ format: zip
+checksum:
+ name_template: checksums.txt
+snapshot:
+ name_template: "{{.Tag}}"
diff --git a/analyzer/engine/engine.go b/analyzer/engine/engine.go
index e3f184533e0b7618a1878bad493ed7a56d97406e..46ce26edbd2ea9b6387970fe41b017d1d4662946 100644
--- a/analyzer/engine/engine.go
+++ b/analyzer/engine/engine.go
@@ -102,7 +102,7 @@ func (e Engine) ParseFile(filepath string) (depRoot *model.DepTree, taskInfo rep
// 解析目录树获取依赖树
e.parseDependency(dirRoot, depRoot)
// 获取漏洞
- taskInfo.Error = vuln.SearchVuln(depRoot)
+ taskInfo.Error = vuln.SearchDetail(depRoot)
// 是否仅保留漏洞组件
if args.Config.OnlyVuln {
root := model.NewDepTree(nil)
diff --git a/analyzer/javascript/package_json.go b/analyzer/javascript/package_json.go
index 2aec0c4a778e9af85540ad26250f9fd8cf551d99..2e8889528cde8640f60763a8748845fdd44ceb39 100644
--- a/analyzer/javascript/package_json.go
+++ b/analyzer/javascript/package_json.go
@@ -50,7 +50,9 @@ func parsePackage(root *model.DepTree, file *model.FileInfo, simulation bool) (d
if pkg.Version != "" {
root.Version = model.NewVersion(pkg.Version)
}
- root.AddLicense(pkg.License)
+ root.AddLicense(model.LicenseInfo{
+ ShortName: pkg.License,
+ })
root.HomePage = pkg.HomePage
// 依赖列表map[name]version
depMap := map[string]string{}
@@ -145,7 +147,7 @@ func npmSimulation(dep *model.DepTree, exist map[string]struct{}) (subDeps []*mo
}
info := npm.Versions[latestVersion]
dep.Version = model.NewVersion(latestVersion)
- dep.AddLicense(info.License)
+ dep.AddLicense(model.LicenseInfo{ShortName: info.License})
// 解析子依赖
names := []string{}
for name := range info.Deps {
diff --git a/analyzer/php/composer.go b/analyzer/php/composer.go
index 0403888aabb3f7f0f447f700c1d4cd8aa3367a96..908808a7d5e2d88185a868b530cb284f9ac15b67 100644
--- a/analyzer/php/composer.go
+++ b/analyzer/php/composer.go
@@ -53,7 +53,7 @@ func parseComposer(root *model.DepTree, file *model.FileInfo, simulation bool) (
root.DownloadLocation = composer.Support["source"]
// add license
if composer.License != "" {
- root.AddLicense(composer.License)
+ root.AddLicense(model.LicenseInfo{ShortName: composer.License})
}
// parse direct dependency
requires := map[string]string{}
diff --git a/analyzer/python/setup.go b/analyzer/python/setup.go
index e48dc73f5d921a48a06ad3413dd597b7d17abf71..bce9c1d3c75aa8c7658c769cacd462571739379d 100644
--- a/analyzer/python/setup.go
+++ b/analyzer/python/setup.go
@@ -57,7 +57,7 @@ func parseSetup(root *model.DepTree, file *model.FileInfo) {
}
root.Name = dep.Name
root.Version = model.NewVersion(dep.Version)
- root.Licenses = append(root.Licenses, dep.License)
+ root.AddLicense(model.LicenseInfo{ShortName: dep.License})
for _, pkg := range [][]string{dep.Packages, dep.InstallRequires, dep.Requires} {
for _, p := range pkg {
index := strings.IndexAny(p, "=<>")
diff --git a/util/client/client.go b/util/client/client.go
index c5a766078cb05bb62a7022cbcd127ca54d72d3c3..e8005dccfb05a5e1596bb1dc14a6d130a31238a3 100644
--- a/util/client/client.go
+++ b/util/client/client.go
@@ -93,7 +93,7 @@ func GetClientId() string {
}
// Detect 发送任务解析请求
-func Detect(reqbody []byte) (repbody []byte, err error) {
+func Detect(dtype string, reqbody []byte) (repbody []byte, err error) {
repbody = []byte{}
// 获取aes-key
key, err := getAesKey()
@@ -120,13 +120,16 @@ func Detect(reqbody []byte) (repbody []byte, err error) {
return repbody, err
}
// 发送数据
- rep, err := http.Post(url, "application/json", bytes.NewReader(data))
+ req, err := http.NewRequest("POST", url, bytes.NewReader(data))
+ req.Header.Add("Content-Type", "application/json")
+ req.Header.Add("Detect-Type", dtype)
+ resp, err := http.DefaultClient.Do(req)
if err != nil {
return repbody, err
}
- defer rep.Body.Close()
- if rep.StatusCode == 200 {
- repbody, err = ioutil.ReadAll(rep.Body)
+ defer resp.Body.Close()
+ if resp.StatusCode == 200 {
+ repbody, err = ioutil.ReadAll(resp.Body)
if err != nil {
logs.Error(err)
return
@@ -159,7 +162,7 @@ func Detect(reqbody []byte) (repbody []byte, err error) {
}
}
} else {
- return repbody, fmt.Errorf("%s status code: %d", url, rep.StatusCode)
+ return repbody, fmt.Errorf("%s status code: %d", url, resp.StatusCode)
}
}
diff --git a/util/model/dependency.go b/util/model/dependency.go
index 3eb8e31969e302f1df8a75dbedf50cfc708b38f1..16d75664f866ff7aae917721c626a93e44977cb1 100644
--- a/util/model/dependency.go
+++ b/util/model/dependency.go
@@ -98,7 +98,7 @@ type DepTree struct {
IndirectVulnerabilities int `json:"indirect_vulnerabilities,omitempty" xml:"indirect_vulnerabilities,omitempty" `
// 许可证列表
licenseMap map[string]struct{} `json:"-" xml:"-" `
- Licenses []string `json:"licenses,omitempty" xml:"licenses,omitempty" `
+ Licenses []LicenseInfo `json:"licenses,omitempty" xml:"licenses,omitempty" `
// spdx相关字段
CopyrightText string `json:"copyrightText,omitempty" xml:"copyrightText,omitempty" `
HomePage string `json:"-" xml:"-" `
@@ -120,7 +120,7 @@ func NewDepTree(parent *DepTree) *DepTree {
Parent: parent,
Children: []*DepTree{},
licenseMap: map[string]struct{}{},
- Licenses: []string{},
+ Licenses: []LicenseInfo{},
CopyrightText: "",
}
if parent != nil {
@@ -130,11 +130,11 @@ func NewDepTree(parent *DepTree) *DepTree {
}
// AddLicense 添加许可证
-func (dep *DepTree) AddLicense(licName string) {
- key := strings.TrimSpace(strings.ToLower(licName))
+func (dep *DepTree) AddLicense(lic LicenseInfo) {
+ key := strings.TrimSpace(strings.ToLower(lic.ShortName))
if _, ok := dep.licenseMap[key]; !ok {
dep.licenseMap[key] = struct{}{}
- dep.Licenses = append(dep.Licenses, licName)
+ dep.Licenses = append(dep.Licenses, lic)
}
}
@@ -183,15 +183,23 @@ func (root *DepTree) String() string {
for !stack.Empty() {
node := stack.Pop().(*node)
dep := node.Dep
+
vulns := []string{}
for _, v := range dep.Vulnerabilities {
vulns = append(vulns, v.Id)
}
+
lan := dep.LanguageStr
if lan == "" {
lan = dep.Language.String()
}
- res += fmt.Sprintf("%s%s<%s> path:%s license:%v vulns:%v\n", strings.Repeat("\t", node.Deep), dep.Dependency, lan, dep.Path[strings.Index(dep.Path, "/")+1:], dep.Licenses, vulns)
+
+ lics := make([]string, len(dep.Licenses))
+ for i, lic := range dep.Licenses {
+ lics[i] = lic.ShortName
+ }
+
+ res += fmt.Sprintf("%s%s<%s> path:%s license:%v vulns:%v\n", strings.Repeat("\t", node.Deep), dep.Dependency, lan, dep.Path[strings.Index(dep.Path, "/")+1:], lics, vulns)
for i := len(dep.Children) - 1; i >= 0; i-- {
stack.Push(newNode(dep.Children[i], node.Deep+1))
}
diff --git a/util/model/vuln.go b/util/model/vuln.go
index 92a2db124d6fbfb9f27a00f71c50c3fe47b23acc..b7663af980ca522ff7b5da721348f4dbbe0a1c52 100644
--- a/util/model/vuln.go
+++ b/util/model/vuln.go
@@ -26,3 +26,9 @@ type Vuln struct {
func NewVuln() *Vuln {
return &Vuln{}
}
+
+// LicenseInfo 许可证
+type LicenseInfo struct {
+ ShortName string `json:"name"`
+ // TODO: expand
+}
diff --git a/util/report/html_tpl b/util/report/html_tpl
index ecf657848c4cd1e1f40a8f0124771012bd3ecd5a..36dbaead0843db24cdabbb883b10fcac8cf90d8c 100644
--- a/util/report/html_tpl
+++ b/util/report/html_tpl
@@ -1,2 +1,2 @@
-OpenSCA开源组件检测报告
\ No newline at end of file
+OpenSCA开源组件检测报告
\ No newline at end of file
diff --git a/util/report/spdx.go b/util/report/spdx.go
index 71405e6ac96ca0268ae65091572b0bf37fe67419..123e6851d41f89e45836f81bc2470524b3f807ca 100644
--- a/util/report/spdx.go
+++ b/util/report/spdx.go
@@ -191,10 +191,10 @@ func setPkgLicenseCon(dep *model.DepTree) string {
lic := ""
for _, v := range dep.Licenses {
if lic == "" {
- lic = v
+ lic = v.ShortName
continue
}
- lic = lic + " OR " + v
+ lic = lic + " OR " + v.ShortName
}
return lic
}
diff --git a/util/vuln/server.go b/util/vuln/server.go
index 5abdefd41257d5ede65abf9873c0276d59456e01..21b781840cd1002eef5cb9abdc09aaa1c49f2543 100644
--- a/util/vuln/server.go
+++ b/util/vuln/server.go
@@ -21,7 +21,7 @@ func GetServerVuln(deps []model.Dependency) (vulns [][]*model.Vuln, err error) {
logs.Error(err)
return
}
- data, err = client.Detect(data)
+ data, err = client.Detect("vuln", data)
if err != nil {
fmt.Printf("\n%s", err.Error())
return vulns, err
@@ -34,3 +34,25 @@ func GetServerVuln(deps []model.Dependency) (vulns [][]*model.Vuln, err error) {
}
return
}
+
+// GetServerLicense 从云服务获取许可证
+func GetServerLicense(deps []model.Dependency) (lics [][]model.LicenseInfo, err error) {
+ lics = [][]model.LicenseInfo{}
+ data, err := json.Marshal(deps)
+ if err != nil {
+ logs.Error(err)
+ return
+ }
+ data, err = client.Detect("license", data)
+ if err != nil {
+ fmt.Printf("\n%s", err.Error())
+ return lics, err
+ }
+ if len(data) > 0 {
+ err = json.Unmarshal(data, &lics)
+ if err != nil {
+ logs.Error(err)
+ }
+ }
+ return
+}
diff --git a/util/vuln/vuln.go b/util/vuln/vuln.go
index 8b82f7bb174eece5b4f9c1c242d62cecd67e2548..516e21f94281dfa1c103005c9653e99c32b4139b 100644
--- a/util/vuln/vuln.go
+++ b/util/vuln/vuln.go
@@ -11,8 +11,8 @@ import (
"util/model"
)
-// SearchVuln 查找漏洞
-func SearchVuln(root *model.DepTree) (err error) {
+// SearchDetail 查找组件详情:漏洞/许可证
+func SearchDetail(root *model.DepTree) (err error) {
queue := model.NewQueue()
queue.Push(root)
deps := []*model.DepTree{}
@@ -23,17 +23,26 @@ func SearchVuln(root *model.DepTree) (err error) {
queue.Push(child)
}
}
- localVulns := [][]*model.Vuln{}
- serverVulns := [][]*model.Vuln{}
ds := make([]model.Dependency, len(deps))
for i, d := range deps {
ds[i] = d.Dependency
}
+
+ localVulns := [][]*model.Vuln{}
+ serverVulns := [][]*model.Vuln{}
if args.Config.VulnDB != "" {
localVulns = GetLocalVulns(ds)
}
if args.Config.Url != "" && args.Config.Token != "" {
+ // vulnerability
serverVulns, err = GetServerVuln(ds)
+ // license
+ serverLicenses, _ := GetServerLicense(ds)
+ for i, lics := range serverLicenses {
+ for _, lic := range lics {
+ deps[i].AddLicense(lic)
+ }
+ }
} else if args.Config.VulnDB == "" && args.Config.Url == "" && args.Config.Token != "" {
err = errors.New("url is null")
} else if args.Config.VulnDB == "" && args.Config.Url != "" && args.Config.Token == "" {
@@ -56,8 +65,6 @@ func SearchVuln(root *model.DepTree) (err error) {
if len(serverVulns) != 0 {
for _, vuln := range serverVulns[i] {
if vuln.Id == "" {
- // 约定没有id时按照许可证处理
- dep.AddLicense(vuln.Name)
continue
}
if _, ok := exist[vuln.Id]; !ok {