From 5200d81e9de2c54018f44f2920843b9a5e5e5293 Mon Sep 17 00:00:00 2001 From: even <827656971@qq.com> Date: Thu, 31 Jul 2025 15:47:06 +0800 Subject: [PATCH] =?UTF-8?q?sast=E4=BA=8C=E8=BF=9B=E5=88=B6=E9=80=BB?= =?UTF-8?q?=E8=BE=91=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../engine/worker/sast/SastBinaryWorker.java | 15 ++++++++++++--- .../ci/process/engine/worker/sast/SastWorker.java | 13 ++++++++++++- .../service/sast/impl/SastServiceImpl.java | 2 +- .../test/java/cd/casic/server/VulInfoTest.java | 8 +++++++- 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastBinaryWorker.java b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastBinaryWorker.java index cb375bfc..c330a21f 100644 --- a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastBinaryWorker.java +++ b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastBinaryWorker.java @@ -11,8 +11,12 @@ import cd.casic.ci.process.engine.worker.base.BaseWorker; import cd.casic.ci.process.process.converter.SastConverter; import cd.casic.ci.process.process.dataObject.base.PipBaseElement; import cd.casic.ci.process.process.dataObject.history.PipPipelineHisInstance; +import cd.casic.ci.process.process.dataObject.pipeline.PipPipeline; +import cd.casic.ci.process.process.dataObject.target.TargetVersion; import cd.casic.ci.process.process.dataObject.task.PipTask; +import cd.casic.ci.process.process.service.pipeline.PipelineService; import cd.casic.ci.process.process.service.sast.SastService; +import cd.casic.ci.process.process.service.target.TargetVersionService; import cd.casic.ci.process.process.service.task.TaskService; import cd.casic.framework.commons.exception.ServiceException; import cd.casic.framework.commons.exception.enums.GlobalErrorCodeConstants; @@ -36,6 +40,10 @@ public class SastBinaryWorker extends BaseWorker { private SastConverter converter; @Resource private TaskService taskService; + @Resource + private PipelineService pipelineService; + @Resource + private TargetVersionService targetVersionService; @Override public void execute(TaskRunContext context) { PipBaseElement contextDef = context.getContextDef(); @@ -133,16 +141,17 @@ public class SastBinaryWorker extends BaseWorker { } JSONObject reportJson = getJSONString(reportId); PipTask task = context.getContextDef() instanceof PipTask ? ((PipTask) context.getContextDef()) : null; + PipPipeline pipeline = pipelineService.getById(task.getPipelineId()); + String targetVersionId = pipeline.getTargetVersionId(); + TargetVersion targetVersion = targetVersionService.getById(pipeline.getTargetVersionId()); postHandlerManager.registerPostHandler(new ExecuteTaskPostHandler(task.getId(),task.getPipelineId()) { @Override public void executeAfterDone(PipPipelineHisInstance pipPipelineHisInstance) { - log.info("sast二进制后置处理器执行:",reportJson); JSONObject defects = reportJson.getJSONObject("defects"); - log.info("sast二进制后置处理器执行:",defects); for (String key : defects.keySet()) { String string = defects.getString(key); List sastVulInfoReqs = JSONArray.parseArray(string, SastVulInfoReq.class); - sastService.saveReportVulInfo(sastVulInfoReqs,"targetType","targetName","city","instanceId","taskId","taskType"); + sastService.saveReportVulInfo(sastVulInfoReqs,pipeline.getTargetType(),targetVersion.getFileName(),"重庆",pipPipelineHisInstance.getId(),taskId,task.getTaskType()); } } }); diff --git a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastWorker.java b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastWorker.java index e3e325cc..0cd99d7f 100644 --- a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastWorker.java +++ b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/engine/worker/sast/SastWorker.java @@ -13,8 +13,12 @@ import cd.casic.ci.process.engine.worker.base.BaseWorker; import cd.casic.ci.process.process.converter.SastConverter; import cd.casic.ci.process.process.dataObject.base.PipBaseElement; import cd.casic.ci.process.process.dataObject.history.PipPipelineHisInstance; +import cd.casic.ci.process.process.dataObject.pipeline.PipPipeline; +import cd.casic.ci.process.process.dataObject.target.TargetVersion; import cd.casic.ci.process.process.dataObject.task.PipTask; +import cd.casic.ci.process.process.service.pipeline.PipelineService; import cd.casic.ci.process.process.service.sast.SastService; +import cd.casic.ci.process.process.service.target.TargetVersionService; import cd.casic.ci.process.process.service.task.TaskService; import cd.casic.framework.commons.exception.ServiceException; import cd.casic.framework.commons.exception.enums.GlobalErrorCodeConstants; @@ -41,6 +45,10 @@ public class SastWorker extends BaseWorker { private SastConverter converter; @Resource private TaskService taskService; + @Resource + private PipelineService pipelineService; + @Resource + private TargetVersionService targetVersionService; @Override public void execute(TaskRunContext context) { PipBaseElement contextDef = context.getContextDef(); @@ -138,6 +146,9 @@ public class SastWorker extends BaseWorker { } JSONObject reportJson = getJSONString(reportId); PipTask task = context.getContextDef() instanceof PipTask ? ((PipTask) context.getContextDef()) : null; + PipPipeline pipeline = pipelineService.getById(task.getPipelineId()); + String targetVersionId = pipeline.getTargetVersionId(); + TargetVersion targetVersion = targetVersionService.getById(pipeline.getTargetVersionId()); postHandlerManager.registerPostHandler(new ExecuteTaskPostHandler(task.getId(),task.getPipelineId()) { @Override public void executeAfterDone(PipPipelineHisInstance pipPipelineHisInstance) { @@ -145,7 +156,7 @@ public class SastWorker extends BaseWorker { for (String key : defects.keySet()) { String string = defects.getString(key); List sastVulInfoReqs = JSONArray.parseArray(string, SastVulInfoReq.class); - sastService.saveReportVulInfo(sastVulInfoReqs,"targetType","targetName","city","instanceId","taskId","taskType"); + sastService.saveReportVulInfo(sastVulInfoReqs,pipeline.getTargetType(),targetVersion.getFileName(),"重庆",pipPipelineHisInstance.getId(),taskId,task.getTaskType()); } } }); diff --git a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/impl/SastServiceImpl.java b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/impl/SastServiceImpl.java index c49dab77..579d2d23 100644 --- a/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/impl/SastServiceImpl.java +++ b/modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/impl/SastServiceImpl.java @@ -359,7 +359,7 @@ public class SastServiceImpl implements SastService { continue; } //设置流水线相关属性,因为漏洞描述还有漏洞修复建议列表里面每一项都是一样的,所以直接取第一个 - SastVulInfoReq.DefectDetail first = defectDetails.getFirst(); + SastVulInfoReq.DefectDetail first = defectDetails.get(0); String description = first.getDescription(); String potentialRisk = first.getPotentialRisk(); vulInfo.setSolution(potentialRisk); diff --git a/ops-server/src/test/java/cd/casic/server/VulInfoTest.java b/ops-server/src/test/java/cd/casic/server/VulInfoTest.java index f447d289..ce541b96 100644 --- a/ops-server/src/test/java/cd/casic/server/VulInfoTest.java +++ b/ops-server/src/test/java/cd/casic/server/VulInfoTest.java @@ -70,6 +70,12 @@ public class VulInfoTest { } @Test public void sastTest(){ - + String json = "{\"CWE\":[{\"severity\":\"高危\",\"name\":\"CWE-426: 不受信任的搜索路径\",\"count\":2,\"id\":\"8920a916-ecb2-4ce8-a7f1-cc2c5b84a6e0\",\"defect_details\":[{\"path\":\"constant_system\",\"file\":\"constant_system\",\"potential_risk\":\"1. 在使用外部库或组件时,使用其绝对路径以避免被恶意文件或库劫持。\\n\\n2. 验证环境变量和外部输入,确保他们包含与期望一致的值。\\n\\n3. 确保你的应用在运行时拥有正确的权限级别,不应该给予不必要的高权限。\\n\\n4. 使用安全库和框架,允许你加载安全路径,并避免加载不安全路径。\\n\\n5. 尽可能地改变应用程序使其不依赖当前的工作目录以查找其资源。\\n\\n6. 在加载插件或其他可执行代码时,尤其要小心。确保只执行或加载来自可信源的代码。\\n\\n7. 使用操作系统或运行时环境提供的机制来限制可执行路径的搜索范围。例如,Windows具有安全库加载功能,该功能可以限制加载库的目录。\\n\\n8. 对于使用动态链接库(DLL)的Windows应用程序,通过Windows的SafeDllSearchMode机制,可以改变搜索DLL文件的方式。默认情况下,在查找当前目录中的DLL之前,系统将首先在其他目录中查找DLL。避免将应用程序的安装目录设置为当前目录。\",\"line\":4198710,\"propagation_path\":[\"[{\\\"bugId\\\":null,\\\"filePath\\\":null,\\\"line\\\":4198719,\\\"methodName\\\":null,\\\"message\\\":null,\\\"codeSource\\\":null,\\\"variable\\\":null}]\"],\"description\":\"产品使用可指向非产品直接控制下的资源的外部提供的搜索路径来搜索关键资源。\"},{\"path\":\"main\",\"file\":\"main\",\"potential_risk\":\"1. 在使用外部库或组件时,使用其绝对路径以避免被恶意文件或库劫持。\\n\\n2. 验证环境变量和外部输入,确保他们包含与期望一致的值。\\n\\n3. 确保你的应用在运行时拥有正确的权限级别,不应该给予不必要的高权限。\\n\\n4. 使用安全库和框架,允许你加载安全路径,并避免加载不安全路径。\\n\\n5. 尽可能地改变应用程序使其不依赖当前的工作目录以查找其资源。\\n\\n6. 在加载插件或其他可执行代码时,尤其要小心。确保只执行或加载来自可信源的代码。\\n\\n7. 使用操作系统或运行时环境提供的机制来限制可执行路径的搜索范围。例如,Windows具有安全库加载功能,该功能可以限制加载库的目录。\\n\\n8. 对于使用动态链接库(DLL)的Windows应用程序,通过Windows的SafeDllSearchMode机制,可以改变搜索DLL文件的方式。默认情况下,在查找当前目录中的DLL之前,系统将首先在其他目录中查找DLL。避免将应用程序的安装目录设置为当前目录。\",\"line\":4198727,\"propagation_path\":[\"[{\\\"bugId\\\":null,\\\"filePath\\\":null,\\\"line\\\":4198819,\\\"methodName\\\":null,\\\"message\\\":null,\\\"codeSource\\\":null,\\\"variable\\\":null}]\"],\"description\":\"产品使用可指向非产品直接控制下的资源的外部提供的搜索路径来搜索关键资源。\"}]},{\"severity\":\"高危\",\"name\":\"CWE-78: 操作系统命令中对特殊元素的不正确中和处理('操作系统命令注入')\",\"count\":1,\"id\":\"348e72d7-6af7-4c63-8bad-68430f45af28\",\"defect_details\":[{\"path\":\"main\",\"file\":\"main\",\"potential_risk\":\"操作系统命令注入(OS Command Injection)是一种严重的安全漏洞,它可能导致以下后果:\\n\\n1. 不授权访问:攻击者可能会利用这个漏洞执行未经授权的系统命令,这可能导致系统信息泄露或者更严重的后果,例如删除重要文件,下载恶意软件,甚至获取管理员权限。\\n\\n2. 数据丢失: 如果攻击者得以执行删除或修改数据的命令,可能会导致重要数据丢失。\\n\\n3. 系统崩溃:在某些情况下,攻击者可能能够通过执行某些命令导致操作系统崩溃,从而一定程度上拒绝服务(Denial of Service,简称DoS)。\\n\\n4. 恶意软件的传播:攻击者可以通过命令注入下载并执行恶意软件,攻击其他系统或者进行勒索软件等攻击。\\n\\n5. 系统控制:在最极端的情况下,攻击者可能会完全接管操作系统,获得对系统的完全控制权。\",\"line\":4198727,\"propagation_path\":[\"[{\\\"bugId\\\":null,\\\"filePath\\\":null,\\\"line\\\":4198819,\\\"methodName\\\":null,\\\"message\\\":null,\\\"codeSource\\\":null,\\\"variable\\\":null}]\"],\"description\":\"产品使用来自上游组件的受外部影响的输入构造操作系统命令的全部或部分,但它未能抵消或错误地抵消可能在发送到下游组件时修改预期操作系统命令的特殊元素。\"}]}]}"; + JSONObject jsonObject = JSONObject.parseObject(json); + for (String key : jsonObject.keySet()) { + String string = jsonObject.getString(key); + List sastVulInfoReqs = JSONArray.parseArray(string, SastVulInfoReq.class); + sastService.saveReportVulInfo(sastVulInfoReqs,"targetType","targetName","city","instanceId","taskId","taskType"); + } } }