Merge pull request #41 from XmirrorSecurity/master

[pull] master from XmirrorSecurity:master

Author: cyberchen1995

.github/workflows/run_opensca_scan.yml

@@ -0,0 +1,32 @@
+name: OpenSCA Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+
+jobs:
+  opensca_scan:
+    name: OpenSCA Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            cmd/
+            opensca/
+            go.mod
+            main.go
+      - name: Run OpenSCA Scan
+        uses: XmirrorSecurity/opensca-scan-action@v1
+        with:
+          token: ${{ secrets.OPENSCA_TOKEN }}
+          proj: ${{ secrets.OPENSCA_PROJECT_ID }}
+          need-artifact: true
+          out: "outputs/results.json,outputs/result.html"

README.md

@@ -61,7 +61,7 @@
 
 ## 下载安装
 
-1. 从 [github](https://github.com/XmirrorSecurity/OpenSCA-cli/releases) 或 [gitee](https://gitee.com/XmirrorSecurity/OpenSCA-cli/releases)  下载对应系统架构的可执行文件压缩包
+1. 从 [github](https://github.com/XmirrorSecurity/OpenSCA-cli/releases) 或 [gitee](https://gitee.com/XmirrorSecurity/OpenSCA-cli/releases) 或 [gitcode](https://gitcode.com/XmirrorSecurity/OpenSCA-cli/releases) 下载对应系统架构的可执行文件压缩包
 
 2. 或者下载源码编译(需要 `go 1.18` 及以上版本)
 
@@ -70,10 +70,14 @@
    git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca && cd opensca && go build
    // gitee linux/mac
    git clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca && cd opensca && go build
+   // gitcode linux/mac
+   git clone https://gitcode.com/XmirrorSecurity/OpenSCA-cli.git opensca && cd opensca && go build
    // github windows
    git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca ; cd opensca ; go build
    // gitee windows
    git clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca ; cd opensca ; go build
+   // gitcode windows
+    git clone https://gitcode.com/XmirrorSecurity/OpenSCA-cli.git opensca ; cd opensca ; go build
    ```
 
    默认生成当前系统架构的程序，如需生成其他系统架构可配置环境变量后编译
@@ -191,25 +195,25 @@ docker run -ti --rm -v ${PWD}:/src opensca/opensca-cli -token ${put_your_token_h
 
 ### 漏洞库字段说明
 
-| 字段                | 描述                              | 是否必填 |
-| :------------------ | :-------------------------------- | :------- |
-| `vendor`            | 组件厂商                          | 否       |
-| `product`           | 组件名                            | 是       |
-| `version`           | 漏洞影响版本                      | 是       |
-| `language`          | 组件语言                          | 是       |
-| `name`              | 漏洞名                            | 否       |
-| `id`                | 自定义编号                        | 是       |
-| `cve_id`            | cve 编号                          | 否       |
-| `cnnvd_id`          | cnnvd 编号                        | 否       |
-| `cnvd_id`           | cnvd 编号                         | 否       |
-| `cwe_id`            | cwe 编号                          | 否       |
-| `description`       | 漏洞描述                          | 否       |
-| `description_en`    | 漏洞英文描述                      | 否       |
-| `suggestion`        | 漏洞修复建议                      | 否       |
-| `attack_type`       | 攻击方式                          | 否       |
-| `release_date`      | 漏洞发布日期                      | 否       |
-| `security_level_id` | 漏洞风险评级(1~4 风险程度递减)    | 否       |
-| `exploit_level_id`  | 漏洞利用评级(0:不可利用,1:可利用) | 否       |
+| 字段                | 描述                                     | 是否必填 |
+| :------------------ | :--------------------------------------- | :------- |
+| `vendor`            | 组件厂商                                 | 否       |
+| `product`           | 组件名                                   | 是       |
+| `version`           | 漏洞影响版本(必须为范围，不能填单个版本) | 是       |
+| `language`          | 组件语言                                 | 是       |
+| `name`              | 漏洞名                                   | 否       |
+| `id`                | 自定义编号                               | 是       |
+| `cve_id`            | cve 编号                                 | 否       |
+| `cnnvd_id`          | cnnvd 编号                               | 否       |
+| `cnvd_id`           | cnvd 编号                                | 否       |
+| `cwe_id`            | cwe 编号                                 | 否       |
+| `description`       | 漏洞描述                                 | 否       |
+| `description_en`    | 漏洞英文描述                             | 否       |
+| `suggestion`        | 漏洞修复建议                             | 否       |
+| `attack_type`       | 攻击方式                                 | 否       |
+| `release_date`      | 漏洞发布日期                             | 否       |
+| `security_level_id` | 漏洞风险评级(1~4 风险程度递减)           | 否       |
+| `exploit_level_id`  | 漏洞利用评级(0:不可利用,1:可利用)        | 否       |
 
 本地漏洞库中`language`字段设定值包含`java、javascript、golang、rust、php、ruby、python`
 

cmd/format/dpsbom.go

@@ -0,0 +1,117 @@
+package format
+
+import (
+	"archive/zip"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/xmirrorsecurity/opensca-cli/v3/cmd/detail"
+	"github.com/xmirrorsecurity/opensca-cli/v3/opensca/model"
+)
+
+func DpSbomZip(report Report, out string) {
+	zipFile := out
+	if !strings.HasSuffix(out, ".zip") {
+		zipFile = out + ".zip"
+	}
+	jsonName := filepath.Base(out)
+	if !strings.HasSuffix(jsonName, ".json") {
+		jsonName = jsonName + ".json"
+	}
+	outWrite(zipFile, func(w io.Writer) error {
+		doc := pdSbomDoc(report)
+		if doc.Hashes.HashFile == "" {
+			return errors.New("hash file is required")
+		}
+
+		var h hash.Hash
+		switch strings.ToLower(doc.Hashes.Algorithm) {
+		case "sha-256":
+			h = sha256.New()
+		case "sha-1":
+			h = sha1.New()
+		case "md5":
+			h = md5.New()
+		case "":
+			return errors.New("hash algorithm is required")
+		default:
+			return fmt.Errorf("unsupported hash algorithm: %s", doc.Hashes.Algorithm)
+		}
+
+		tojson := func(w io.Writer) error {
+			encoder := json.NewEncoder(w)
+			encoder.SetIndent("", "  ")
+			return encoder.Encode(doc)
+		}
+
+		zipfile := zip.NewWriter(w)
+		defer zipfile.Close()
+
+		sbomfile, err := zipfile.Create(jsonName)
+		if err != nil {
+			return err
+		}
+		err = tojson(sbomfile)
+		if err != nil {
+			return err
+		}
+
+		hashfile, err := zipfile.Create(doc.Hashes.HashFile)
+		if err != nil {
+			return err
+		}
+		err = tojson(h)
+		if err != nil {
+			return err
+		}
+		hashstr := hex.EncodeToString(h.Sum(nil)[:])
+		hashfile.Write([]byte(hashstr))
+
+		return nil
+	})
+}
+
+func pdSbomDoc(report Report) *model.DpSbomDocument {
+
+	doc := model.NewDpSbomDocument(report.TaskInfo.AppName, "opensca-cli")
+
+	report.DepDetailGraph.ForEach(func(n *detail.DepDetailGraph) bool {
+
+		if n.Name == "" {
+			return true
+		}
+
+		lics := []string{}
+		for _, lic := range n.Licenses {
+			lics = append(lics, lic.ShortName)
+		}
+		doc.AppendComponents(func(dsp *model.DpSbomPackage) {
+			dsp.Identifier.Purl = n.Purl()
+			dsp.Name = n.Name
+			dsp.Version = n.Version
+			dsp.License = lics
+		})
+
+		children := []string{}
+		for _, c := range n.Children {
+			if c.Name == "" {
+				continue
+			}
+			children = append(children, c.Purl())
+		}
+		doc.AppendDependencies(n.Purl(), children)
+
+		return true
+	})
+
+	return doc
+}

cmd/format/save.go

@@ -39,6 +39,12 @@ func Save(report Report, output string) {
 		switch filepath.Ext(out) {
 		case ".html":
 			Html(genReport(report), out)
+		case ".zip":
+			if strings.HasSuffix(out, ".dpsbom.zip") {
+				DpSbomZip(report, out)
+			} else {
+				Json(genReport(report), out)
+			}
 		case ".json":
 			if strings.HasSuffix(out, ".spdx.json") {
 				SpdxJson(report, out)
@@ -48,9 +54,13 @@ func Save(report Report, output string) {
 				CycloneDXJson(report, out)
 			} else if strings.HasSuffix(out, ".swid.json") {
 				SwidJson(report, out)
+			} else if strings.HasSuffix(out, ".dpsbom.json") {
+				DpSbomZip(report, out)
 			} else {
 				Json(genReport(report), out)
 			}
+		case ".dpsbom":
+			DpSbomZip(report, out)
 		case ".dsdx":
 			Dsdx(report, out)
 		case ".spdx":

cmd/format/statis.go

@@ -7,7 +7,7 @@ import (
 )
 
 // Statis 统计概览信息
-func Statis(report Report) string {
+func Statis(report Report) (string, string) {
 
 	// 组件风险统计 key:0代表组件总数
 	depStatic := map[int]int{
@@ -50,10 +50,11 @@ func Statis(report Report) string {
 
 		return true
 	})
-
-	return fmt.Sprintf("Components:%d C:%d H:%d M:%d L:%d\n"+
-		"Vulnerabilities:%d C:%d H:%d M:%d L:%d",
-		depStatic[0], depStatic[1], depStatic[2], depStatic[3], depStatic[4],
-		vulStatic[0], vulStatic[1], vulStatic[2], vulStatic[3], vulStatic[4],
-	)
+	if vulStatic[0] != 0 {
+		return fmt.Sprintf("Components:%d C:%d H:%d M:%d L:%d",
+				depStatic[0], depStatic[1], depStatic[2], depStatic[3], depStatic[4]),
+			fmt.Sprintf("\nVulnerabilities:%d C:%d H:%d M:%d L:%d",
+				vulStatic[0], vulStatic[1], vulStatic[2], vulStatic[3], vulStatic[4])
+	}
+	return fmt.Sprintf("Components: %d", depStatic[0]), ""
 }

cmd/ui/ui.go

@@ -93,8 +93,9 @@ func OpenUI(report format.Report) {
 }
 
 func TaskInfo(report format.Report) *tview.TextView {
+	dep, vul := format.Statis(report)
 	info := tview.NewTextView().
-		SetText(format.Statis(report))
+		SetText(fmt.Sprintf("%s\n%s", dep, vul))
 	info.SetTextColor(tcell.ColorBlue)
 	return info
 }

docs/Contributing_Guideline-v1.0.md

@@ -78,4 +78,4 @@ We appreciate all the contributions to OpenSCA.
 
 Thanks again for your interest in OpenSCA and your support for our solution to open source vulnerabilities.
 
-For the Chinese version of our contributing guideline, please check [贡献指南（中文版）v1.0](./Contributing_Guideline-v1.0-zh_CN.md)。
+For the Chinese version of our contributing guideline, please check [贡献指南(中文版)v1.0](./Contributing_Guideline-v1.0-zh_CN.md)。