From 7fc4962b386c77f673f7f2aea5d7c7e915518a8f Mon Sep 17 00:00:00 2001 From: luotianqi777 Date: Tue, 7 Mar 2023 18:44:03 +0800 Subject: [PATCH 1/3] add swid support --- cli/main.go | 14 +++++--- config.json | 1 - go.work.sum | 4 +++ util/go.mod | 11 ++++++ util/go.sum | 23 ++++++++++++ util/model/dependency.go | 9 +++++ util/model/purl.go | 5 +-- util/report/swid.go | 78 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 136 insertions(+), 9 deletions(-) create mode 100644 go.work.sum create mode 100644 util/report/swid.go diff --git a/cli/main.go b/cli/main.go index 11f31c7..ae62079 100644 --- a/cli/main.go +++ b/cli/main.go @@ -45,6 +45,9 @@ func output(depRoot *model.DepTree, taskInfo report.TaskInfo) { reportFunc = report.SpdxJson } else if strings.HasSuffix(out, ".cdx.json") { reportByWriterFunc = report.CycloneDXJson + } else if strings.HasSuffix(out, ".swid.json") { + out += ".zip" + reportByWriterFunc = report.SwidJson } else { reportFunc = report.Json } @@ -55,20 +58,23 @@ func output(depRoot *model.DepTree, taskInfo report.TaskInfo) { reportFunc = report.SpdxXml } else if strings.HasSuffix(out, ".cdx.xml") { reportByWriterFunc = report.CycloneDXXml + } else if strings.HasSuffix(out, ".swid.xml") { + out += ".zip" + reportByWriterFunc = report.SwidXml } else { - logs.Warn(fmt.Sprintf("not support report format: %s", args.Config.Out)) + logs.Warn(fmt.Sprintf("not support report format: %s", out)) } default: reportFunc = report.Json } fmt.Println(report.Statis(depRoot, taskInfo)) - if args.Config.Out != "" { + if out != "" { if reportFunc != nil { - report.Save(reportFunc(depRoot, taskInfo), args.Config.Out) + report.Save(reportFunc(depRoot, taskInfo), out) } else if reportByWriterFunc != nil { report.SaveByWriter(func(w io.Writer) { reportByWriterFunc(w, depRoot, taskInfo) - }, args.Config.Out) + }, out) } } else { fmt.Println(string(reportFunc(depRoot, taskInfo))) diff --git a/config.json b/config.json index 63fc667..ab62c31 100644 --- a/config.json +++ b/config.json @@ -1,5 +1,4 @@ { - "path": "", "db": "", "url": "https://opensca.xmirror.cn", "token": "", diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 0000000..1c53099 --- /dev/null +++ b/go.work.sum @@ -0,0 +1,4 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= diff --git a/util/go.mod b/util/go.mod index e2ad6a7..4eaf38c 100644 --- a/util/go.mod +++ b/util/go.mod @@ -6,4 +6,15 @@ require ( github.com/CycloneDX/cyclonedx-go v0.7.0 github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394 github.com/pkg/errors v0.9.1 + github.com/veraison/swid v0.0.1-beta.6 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/fxamacker/cbor/v2 v2.3.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/stretchr/testify v1.8.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/util/go.sum b/util/go.sum index 6a02893..63b677e 100644 --- a/util/go.sum +++ b/util/go.sum @@ -1,5 +1,28 @@ github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg= github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg= github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394/go.mod h1:Q8n74mJTIgjX4RBBcHnJ05h//6/k6foqmgE45jTQtxg= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fxamacker/cbor/v2 v2.3.0 h1:aM45YGMctNakddNNAezPxDUpv38j44Abh+hifNuqXik= +github.com/fxamacker/cbor/v2 v2.3.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/veraison/swid v0.0.1-beta.6 h1:ysDyCOPwGyjiBnhAM+/kgTEcc/PWieIbUQJOjnSTK48= +github.com/veraison/swid v0.0.1-beta.6/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/util/model/dependency.go b/util/model/dependency.go index e80df43..73cb5c0 100644 --- a/util/model/dependency.go +++ b/util/model/dependency.go @@ -49,6 +49,15 @@ type Dependency struct { LanguageStr string `json:"language,omitempty"` } +// GetVersion 获取版本号 +func (d Dependency) GetVersion() string { + if d.Version != nil { + return d.Version.Org + } else { + return d.VersionStr + } +} + // NewDependency 创建Dependency func NewDependency() Dependency { dep := Dependency{ diff --git a/util/model/purl.go b/util/model/purl.go index 3335b2c..811d2ef 100644 --- a/util/model/purl.go +++ b/util/model/purl.go @@ -36,10 +36,7 @@ func (dep Dependency) Purl() string { group = g } } - version := dep.VersionStr - if dep.Version != nil && dep.Version.Org != "" { - version = dep.Version.Org - } + version := dep.GetVersion() if dep.Vendor == "" { return fmt.Sprintf("pkg:%s/%s@%s", group, dep.Name, version) } diff --git a/util/report/swid.go b/util/report/swid.go new file mode 100644 index 0000000..cbeb39c --- /dev/null +++ b/util/report/swid.go @@ -0,0 +1,78 @@ +package report + +import ( + "archive/zip" + "encoding/json" + "encoding/xml" + "fmt" + "io" + "strings" + "util/logs" + "util/model" + + "github.com/veraison/swid" +) + +func buildSwid(ext string, writer io.Writer, dep *model.DepTree, taskInfo TaskInfo) { + format(dep) + w := zip.NewWriter(writer) + defer w.Close() + q := []*model.DepTree{dep} + for len(q) > 0 { + n := q[0] + q = append(q[1:], n.Children...) + if n.Name == "" { + continue + } + tag, err := swid.NewTag(fmt.Sprint(n.ID), n.Name, n.GetVersion()) + if err != nil { + logs.Warn(err) + continue + } + tag.TagVersion = 1 + tag.SoftwareName = n.Name + tag.SoftwareVersion = n.GetVersion() + tag.VersionScheme = &swid.VersionScheme{} + tag.VersionScheme.SetCode(1) + if n.Vendor != "" { + e := swid.Entity{ + RegID: n.Vendor, + EntityName: "The vendor of component", + Roles: swid.Roles{}, + } + e.Roles.Set("softwareCreator") + tag.AddEntity(e) + } + + name := []string{fmt.Sprint(n.ID)} + if n.Vendor != "" { + name = append(name, n.Vendor) + } + name = append(name, n.Name) + if n.GetVersion() != "" { + name = append(name, n.GetVersion()) + } + f, err := w.Create(strings.Join(name, "-") + "." + strings.TrimLeft(ext, ".")) + if err != nil { + logs.Warn(err) + continue + } + if strings.Contains(ext, "json") { + if err = json.NewEncoder(f).Encode(tag); err != nil { + logs.Warn(err) + } + } else if strings.Contains(ext, "xml") { + if err = xml.NewEncoder(f).Encode(tag); err != nil { + logs.Warn(err) + } + } + } +} + +func SwidJson(writer io.Writer, dep *model.DepTree, taskInfo TaskInfo) { + buildSwid("json", writer, dep, taskInfo) +} + +func SwidXml(writer io.Writer, dep *model.DepTree, taskInfo TaskInfo) { + buildSwid("xml", writer, dep, taskInfo) +} -- Gitee From 2d888a49b65c3a6874706c91d6fdb49e3446c2bf Mon Sep 17 00:00:00 2001 From: luotianqi777 Date: Tue, 7 Mar 2023 18:46:59 +0800 Subject: [PATCH 2/3] default mvn repo add aliyun mirror --- analyzer/java/mvn.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/analyzer/java/mvn.go b/analyzer/java/mvn.go index b0f40ef..d99bf86 100644 --- a/analyzer/java/mvn.go +++ b/analyzer/java/mvn.go @@ -17,9 +17,10 @@ type Mvn struct { func NewMvn() Mvn { repos := args.GetRepoConfig() - mvn := `https://repo.maven.apache.org/maven2/` - repos[mvn] = args.RepoConfig{ - Repo: mvn, + for _, repo := range []string{`https://repo.maven.apache.org/maven2/`, `https://maven.aliyun.com/repository/public`} { + repos[repo] = args.RepoConfig{ + Repo: repo, + } } return Mvn{ repos: repos, -- Gitee From 4e9ba831c3f40c43d533a124bc6f485428d37522 Mon Sep 17 00:00:00 2001 From: luotianqi777 Date: Tue, 7 Mar 2023 18:49:09 +0800 Subject: [PATCH 3/3] config example add mvn repo --- config.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config.json b/config.json index ab62c31..ca71f26 100644 --- a/config.json +++ b/config.json @@ -6,5 +6,12 @@ "cache": true, "vuln": false, "progress": true, - "dedup": true + "dedup": true, + "maven":[ + { + "repo":"", + "user":"", + "password":"" + } + ] } \ No newline at end of file -- Gitee