sast二进制

modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/dto/req/sast/SastVulInfoReq.java

@@ -32,24 +32,25 @@ public class SastVulInfoReq {
         }
         defectDetails.add(detail);
     }
+    @Data
+    @NoArgsConstructor
+    @AllArgsConstructor
+    public static class DefectDetail {
+        private String file;
+        private int line;
+        private String path;
+        private List<String> propagationPath = new ArrayList<>();
+        private String description;
+        private String potentialRisk;
+
+        // 便捷方法
+        public void addPropagationPath(String path) {
+            if (propagationPath == null) {
+                propagationPath = new ArrayList<>();
+            }
+            propagationPath.add(path);
+        }
 }
 
-@Data
-@NoArgsConstructor
-@AllArgsConstructor
-class DefectDetail {
-    private String file;
-    private int line;
-    private String path;
-    private List<String> propagationPath = new ArrayList<>();
-    private String description;
-    private String potentialRisk;
 
-    // 便捷方法
-    public void addPropagationPath(String path) {
-        if (propagationPath == null) {
-            propagationPath = new ArrayList<>();
-        }
-        propagationPath.add(path);
-    }
 }

modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/SastService.java

@@ -37,5 +37,5 @@ public interface SastService {
     List<SastEngineLogResp> engineLog(String applicationId);
     SastApplicationBinaryStashResp applicationBinaryStash(SastApplicationBinaryStashReq req) ;
     SastApplicationStashResp binaryStashScan(String applicationId);
-    void saveReportVulInfo(List<SastVulInfoReq> req);
+    void saveReportVulInfo(List<SastVulInfoReq> list,String targetType,String targetName,String city,String instanceId,String taskId,String taskType);
 }

modules/module-ci-process-biz/src/main/java/cd/casic/ci/process/process/service/sast/impl/SastServiceImpl.java

@@ -9,6 +9,7 @@ import cd.casic.ci.process.process.dataObject.volumnInfo.VulInfo;
 import cd.casic.ci.process.process.service.pipeline.PipelineService;
 import cd.casic.ci.process.process.service.sast.SastService;
 import cd.casic.ci.process.process.service.target.TargetVersionService;
+import cd.casic.ci.process.process.service.vulInfo.VulInfoService;
 import cd.casic.ci.process.properties.SastProperties;
 import cd.casic.framework.commons.exception.ServiceException;
 import cd.casic.framework.commons.exception.enums.GlobalErrorCodeConstants;
@@ -27,6 +28,7 @@ import org.luaj.vm2.ast.Str;
 import org.springframework.core.io.FileSystemResource;
 import org.springframework.http.*;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestTemplate;
@@ -55,10 +57,13 @@ public class SastServiceImpl implements SastService {
     private PipelineService pipelineService;
     @Resource
     private TargetVersionService targetVersionService;
+    @Resource
+    private VulInfoService vulInfoService;
     public static final String TOKEN_PREFIX = "Bearer ";
     public static final String TOKEN_HEADER_KEY = "authorization";
     public static final String REDIS_SAST_TOKEN_KEY = "REDIS_SAST_TOKEN_KEY";
 
+
     private SastTokenResp getTokenRemote(){
         HttpHeaders httpHeaders = new HttpHeaders();
         HttpEntity<SastProperties> httpEntity = new HttpEntity<SastProperties>(sastProperties,httpHeaders);
@@ -338,13 +343,37 @@ public class SastServiceImpl implements SastService {
     }
 
     @Override
-    public void saveReportVulInfo(List<SastVulInfoReq> list) {
+    public void saveReportVulInfo(List<SastVulInfoReq> list,String targetType,String targetName,String city,String instanceId,String taskId,String taskType) {
+        if (CollectionUtils.isEmpty(list)) {
+            return;
+        }
+        List<VulInfo> vulInfos = new ArrayList<>(list.size());
         for (SastVulInfoReq req : list) {
             VulInfo vulInfo = new VulInfo();
             // 设置安全等级、名称
+            vulInfo.setVulTitle(req.getName());
+            String severity = req.getSeverity();
+            List<SastVulInfoReq.DefectDetail> defectDetails = req.getDefectDetails();
             // 设置描述修复措施
-            //设置流水线相关属性
+            if (CollectionUtils.isEmpty(defectDetails)) {
+                continue;
+            }
+            //设置流水线相关属性,因为漏洞描述还有漏洞修复建议列表里面每一项都是一样的，所以直接取第一个
+            SastVulInfoReq.DefectDetail first = defectDetails.getFirst();
+            String description = first.getDescription();
+            String potentialRisk = first.getPotentialRisk();
+            vulInfo.setSolution(potentialRisk);
+            vulInfo.setVulDescription(description);
+            vulInfo.setSeverity(securityLevelToSeverity(severity));
+            vulInfo.setTargetType(targetType);
+            vulInfo.setTargetName(targetName);
+            vulInfo.setCity(city);
+            vulInfo.setInstanceId(instanceId);
+            vulInfo.setTaskId(taskId);
+            vulInfo.setTaskType(taskType);
+            vulInfos.add(vulInfo);
         }
+        vulInfoService.saveBatch(vulInfos);
     }
 
     private HttpHeaders getHeaders(){
@@ -352,4 +381,17 @@ public class SastServiceImpl implements SastService {
         httpHeaders.set(TOKEN_HEADER_KEY,TOKEN_PREFIX+getToken());
         return httpHeaders;
     }
+    private Integer securityLevelToSeverity(String securityLevel) {
+        if (securityLevel == null) {
+            return 0;
+        }
+        // 映射规则：严重 -> 1, 高危 -> 2, 中危 -> 3, 低危 -> 4
+        return switch (securityLevel) {
+            case "严重" -> 1;
+            case "高危" -> 2;
+            case "中危" -> 3;
+            case "安全", "低危" -> 4;
+            default -> 0;
+        };
+    }
 }

ops-server/src/test/java/cd/casic/server/VulInfoTest.java

@@ -1,13 +1,17 @@
 package cd.casic.server;
 
 import cd.casic.ci.process.constant.PipelineTargetTypeConstant;
+import cd.casic.ci.process.dto.req.sast.SastVulInfoReq;
 import cd.casic.ci.process.dto.req.testCase.TestCaseAITaskCreateReq;
 import cd.casic.ci.process.dto.resp.ScaVulInfoResp;
 import cd.casic.ci.process.process.converter.VulInfoConverter;
 import cd.casic.ci.process.process.dataObject.target.TargetVersion;
 import cd.casic.ci.process.process.dataObject.volumnInfo.VulInfo;
+import cd.casic.ci.process.process.service.sast.SastService;
 import cd.casic.ci.process.process.service.testCase.TestCaseAIGeneratorService;
 import cd.casic.ci.process.process.service.vulInfo.VulInfoService;
+import com.alibaba.fastjson.JSONArray;
+import com.alibaba.fastjson.JSONObject;
 import jakarta.annotation.Resource;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.jupiter.api.Test;
@@ -34,6 +38,8 @@ public class VulInfoTest {
     private VulInfoService vulInfoService;
     @Resource
     private VulInfoConverter converter;
+    @Resource
+    private SastService sastService;
     @Test
     public void test() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
         System.out.println(vulInfoService.scaVulCountGet(681));
@@ -61,5 +67,9 @@ public class VulInfoTest {
         });
         vulInfoService.saveBatch(vulInfos);
 
+    }
+    @Test
+    public void sastTest(){
+
     }
 }