思路

对于集成依赖关系检查,todo,形成api、路由检查或者规划的工作思路:

  1. Dependcheck 组件该命令是否可以执行?返回结果xml。

  2. 调用程序findbugs实现应用路由扫描,输出结果到findbugs,但是不能输入到coverity中,可以执行单独的程序,分析应用的路由、appkey、domain、提交人、路由,输出到cover-build目录中。

  3. 调用程序实现对findbug(已经集成)nodejs扫描(需要调用findbugs再执行),依赖关系(改造至findbugs中),(路由)报文的处理。

    当时要求实现下图中的3、4、5步骤。grafeas是基于go语言的crub api,所以我们需要参考报文格式来独立实现。

最终在源码分析编译环境、依赖、开源组件、路由,实现类似于实现结构化的api通用元数据。

过程

第三方依赖:

owasp dependency-check (Dependency-Check Core can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. Dependency-Check Core will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov),在线时实现以下过程:

[INFO] Checking for updates

[INFO] Skipping NVD check since last check was within 4 hours.

[INFO] Check for updates complete (23 ms)

[INFO] Analysis Started

[INFO] Finished Archive Analyzer (12 seconds)

[INFO] Finished File Name Analyzer (0 seconds)

[INFO] Finished Jar Analyzer (0 seconds)

[INFO] Finished Central Analyzer (515 seconds)

[INFO] Finished Dependency Merging Analyzer (0 seconds)

[INFO] Finished Version Filter Analyzer (0 seconds)

[INFO] Finished Hint Analyzer (0 seconds)

[INFO] Created CPE Index (1 seconds)

[INFO] Skipping CPE Analysis for npm

[INFO] Finished CPE Analyzer (2 seconds)

[INFO] Finished False Positive Analyzer (0 seconds)

[INFO] Finished NVD CVE Analyzer (1 seconds)

[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[INFO] Finished Dependency Bundling Analyzer (0 seconds)

[INFO] Analysis Complete (533 seconds)

依赖于在线分析,结果为XML, JSON, HTML, VULN, ALL文件格式,需要进行格式化。

这里的结果最终输出如何合入统一api或者报表展示?

路由

当前实现了通过字节码分析对spring项目的依赖注解形式的软件的url,参数识别,生成文件格式。

目前是基于findbugs做,因为基于ci扫描的才能识别,不能只能在运行时才可以,结果是json、html、xml。也需要格式化

编译检查

检查编译命令各种sh.

实现