如何使用 Synopsys 检测扫描 Java Maven 项目
How to scan Java Maven project using Synopsys detect
我的任务是了解 blackduck 的工作原理以及它如何用于扫描基于 Maven 的 Java 项目。到目前为止,据我所知,最好的方法是为此使用 Synopsys detect。因此,我创建了一个 application.properties 文件并尝试扫描一个基于 Maven 的项目。问题是,它什么都不做。我错过了什么?
这是我的 application.properties:
blackduck.url=xxx
detect.project.name=MyProject
blackduck.api.token=xxx
detect.test.connection=true
blackduck.trust.cert=true
detect.bash.path=/usr/bin/bash
detect.bdio.output.path=output
detect.output.path=output
detect.java.path=/usr/bin/java
detect.maven.path=/usr/bin/mvn
#detect.cleanup=false
detect.required.detector.types=MAVEN
detect.notices.report=true
logging.level.com.synopsys.integration=DEBUG
detect.source.path=/ap
detect.tools=SIGNATURE_SCAN,BINARY_SCAN
detect.detector.search.depth=5
输出结果如下:
Detect Shell Script 2.3.0
Will look for : https://sig-repo.synopsys.com/bds-integrations-release/com/synopsys/integration/synopsys-detect/6.2.1/synopsys-detect-6.2.1.jar
You have already downloaded the latest file, so the local file will be used.
Java Source: PATH
running Detect: "java" -jar "/tmp/synopsys-detect-6.2.1.jar"
______ _ _
| _ \ | | | |
| | | |___| |_ ___ ___| |_
| | | / _ \ __/ _ \/ __| __|
| |/ / __/ || __/ (__| |_
|___/ \___|\__\___|\___|\__|
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (jar:file:/tmp/synopsys-detect-6.2.1.jar!/BOOT-INF/lib/groovy-all-2.4.12.jar!/) to method java.lang.Object.
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2020-04-17 07:44:02 DEBUG [main] --- Initializing detect.
2020-04-17 07:44:02 DEBUG [main] --- You seem to be running in a LINUX operating system.
2020-04-17 07:44:02 DEBUG [main] --- Detect boot begin.
Detect Version: 6.2.1
2020-04-17 07:44:03 DEBUG [main] --- Configuration processed completely.
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 INFO [main] --- Current property values:
2020-04-17 07:44:03 INFO [main] --- --property = value [notes]
2020-04-17 07:44:03 INFO [main] --- ------------------------------------------------------------
2020-04-17 07:44:03 INFO [main] --- blackduck.api.token = **************************************************************************************************** [applicationConfig: [file:./
]
2020-04-17 07:44:03 INFO [main] --- blackduck.trust.cert = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- blackduck.url = xxx [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.bash.path = /usr/bin/bash [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.bdio.output.path = output [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.detector.search.depth = 5 [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.java.path = /usr/bin/java [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.maven.build.command = clean install [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.maven.path = /usr/bin/mvn [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.notices.report = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.output.path = output [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.project.name = MyProject [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.required.detector.types = MAVEN [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.source.path = /app [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.test.connection = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.tools = SIGNATURE_SCAN,BINARY_SCAN [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- logging.level.com.synopsys.integration = DEBUG [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- ------------------------------------------------------------
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 DEBUG [main] --- Initializing Detect.
2020-04-17 07:44:03 INFO [main] --- Tilde's will be automatically resolved to USER HOME.
2020-04-17 07:44:03 INFO [main] --- Source directory: /app
2020-04-17 07:44:03 INFO [main] --- Output directory: /app/output
2020-04-17 07:44:03 INFO [main] --- Run directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:03 DEBUG [main] --- Main boot completed. Deciding what Detect should do.
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 DEBUG [main] --- Black Duck will run: A Black Duck url was found.
2020-04-17 07:44:03 DEBUG [main] --- Polaris will NOT run because it is excluded.
2020-04-17 07:44:03 DEBUG [main] --- Decided what products will be run. Starting product boot.
2020-04-17 07:44:03 DEBUG [main] --- Detect product boot start.
2020-04-17 07:44:03 DEBUG [main] --- Will boot Black Duck product.
2020-04-17 07:44:04 DEBUG [main] --- Detect will check communication with the Black Duck server.
2020-04-17 07:44:04 INFO [main] --- Connection to the Black Duck server was successful.
2020-04-17 07:44:04 WARN [main] --- Automatically trusting server certificates - not recommended for production use.
2020-04-17 07:44:05 INFO [main] --- Successfully connected to Black Duck (version 2019.6.0)!
2020-04-17 07:44:06 DEBUG [main] --- Connected as: xxx
2020-04-17 07:44:06 DEBUG [main] --- Roles: BOM Manager, Project Manager, Policy Violation Reviewer, Project Code Scanner, Security Manager, Project Viewer
2020-04-17 07:44:06 DEBUG [main] --- Group:
2020-04-17 07:44:06 DEBUG [main] --- Test Connection to Black Duck is set to 'true' so Detect will not run.
2020-04-17 07:44:06 INFO [main] --- No products to run, Detect is complete.
2020-04-17 07:44:06 DEBUG [main] --- Detect boot completed.
2020-04-17 07:44:06 DEBUG [main] --- Detect will NOT attempt to run.
2020-04-17 07:44:06 INFO [main] --- Creating status file: output/runs/2020-04-17-07-44-02-908/status/status.json
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown begin.
2020-04-17 07:44:06 DEBUG [main] --- Detect will cleanup.
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up: /app/output/runs/2020-04-17-07-44-02-908/status
2020-04-17 07:44:06 INFO [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown completed.
2020-04-17 07:44:06 DEBUG [main] --- All Detect actions completed.
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- ======== Detect Status ========
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- Overall Status: SUCCESS
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- ===============================
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- Detect duration: 00h 00m 04s 065ms
Result code of 0, exiting
好吧,经过多次试验和错误,我发现我误解了 detect.test.connection=true 参数。它不是在扫描之前测试与 blackduck 的连接(这是我的理解),而是将检测设置为一种试运行,这样它就不会执行和检测器等。因此省略参数解决了我的问题。
blackduck.url="https://hostname.com"
detect.maven.path="Maven/3.3.9/bin/mvnSynopsys"
detect.force.success=true
detect.project.name="Myproject"
detect.project.version.name="projectversion"
blackduck.trust.cert=true
detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING
detect.blackduck.signature.scanner.exclusion.patterns="excluded files"
logging.level.com.synopsys.integration=INFO
blackduck.offline.mode=false
detect.output.path="scanDirPath"
detect.maven.build.command="-Drepo.id=repopath -Dmaven.repo.local=mavenlocalrepo"
blackduck.api.token=XXX
我的任务是了解 blackduck 的工作原理以及它如何用于扫描基于 Maven 的 Java 项目。到目前为止,据我所知,最好的方法是为此使用 Synopsys detect。因此,我创建了一个 application.properties 文件并尝试扫描一个基于 Maven 的项目。问题是,它什么都不做。我错过了什么?
这是我的 application.properties:
blackduck.url=xxx
detect.project.name=MyProject
blackduck.api.token=xxx
detect.test.connection=true
blackduck.trust.cert=true
detect.bash.path=/usr/bin/bash
detect.bdio.output.path=output
detect.output.path=output
detect.java.path=/usr/bin/java
detect.maven.path=/usr/bin/mvn
#detect.cleanup=false
detect.required.detector.types=MAVEN
detect.notices.report=true
logging.level.com.synopsys.integration=DEBUG
detect.source.path=/ap
detect.tools=SIGNATURE_SCAN,BINARY_SCAN
detect.detector.search.depth=5
输出结果如下:
Detect Shell Script 2.3.0
Will look for : https://sig-repo.synopsys.com/bds-integrations-release/com/synopsys/integration/synopsys-detect/6.2.1/synopsys-detect-6.2.1.jar
You have already downloaded the latest file, so the local file will be used.
Java Source: PATH
running Detect: "java" -jar "/tmp/synopsys-detect-6.2.1.jar"
______ _ _
| _ \ | | | |
| | | |___| |_ ___ ___| |_
| | | / _ \ __/ _ \/ __| __|
| |/ / __/ || __/ (__| |_
|___/ \___|\__\___|\___|\__|
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (jar:file:/tmp/synopsys-detect-6.2.1.jar!/BOOT-INF/lib/groovy-all-2.4.12.jar!/) to method java.lang.Object.
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2020-04-17 07:44:02 DEBUG [main] --- Initializing detect.
2020-04-17 07:44:02 DEBUG [main] --- You seem to be running in a LINUX operating system.
2020-04-17 07:44:02 DEBUG [main] --- Detect boot begin.
Detect Version: 6.2.1
2020-04-17 07:44:03 DEBUG [main] --- Configuration processed completely.
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 INFO [main] --- Current property values:
2020-04-17 07:44:03 INFO [main] --- --property = value [notes]
2020-04-17 07:44:03 INFO [main] --- ------------------------------------------------------------
2020-04-17 07:44:03 INFO [main] --- blackduck.api.token = **************************************************************************************************** [applicationConfig: [file:./
]
2020-04-17 07:44:03 INFO [main] --- blackduck.trust.cert = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- blackduck.url = xxx [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.bash.path = /usr/bin/bash [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.bdio.output.path = output [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.detector.search.depth = 5 [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.java.path = /usr/bin/java [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.maven.build.command = clean install [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.maven.path = /usr/bin/mvn [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.notices.report = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.output.path = output [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.project.name = MyProject [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.required.detector.types = MAVEN [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.source.path = /app [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.test.connection = true [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- detect.tools = SIGNATURE_SCAN,BINARY_SCAN [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- logging.level.com.synopsys.integration = DEBUG [applicationConfig: [file:./application.properties]]
2020-04-17 07:44:03 INFO [main] --- ------------------------------------------------------------
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 DEBUG [main] --- Initializing Detect.
2020-04-17 07:44:03 INFO [main] --- Tilde's will be automatically resolved to USER HOME.
2020-04-17 07:44:03 INFO [main] --- Source directory: /app
2020-04-17 07:44:03 INFO [main] --- Output directory: /app/output
2020-04-17 07:44:03 INFO [main] --- Run directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:03 DEBUG [main] --- Main boot completed. Deciding what Detect should do.
2020-04-17 07:44:03 INFO [main] ---
2020-04-17 07:44:03 DEBUG [main] --- Black Duck will run: A Black Duck url was found.
2020-04-17 07:44:03 DEBUG [main] --- Polaris will NOT run because it is excluded.
2020-04-17 07:44:03 DEBUG [main] --- Decided what products will be run. Starting product boot.
2020-04-17 07:44:03 DEBUG [main] --- Detect product boot start.
2020-04-17 07:44:03 DEBUG [main] --- Will boot Black Duck product.
2020-04-17 07:44:04 DEBUG [main] --- Detect will check communication with the Black Duck server.
2020-04-17 07:44:04 INFO [main] --- Connection to the Black Duck server was successful.
2020-04-17 07:44:04 WARN [main] --- Automatically trusting server certificates - not recommended for production use.
2020-04-17 07:44:05 INFO [main] --- Successfully connected to Black Duck (version 2019.6.0)!
2020-04-17 07:44:06 DEBUG [main] --- Connected as: xxx
2020-04-17 07:44:06 DEBUG [main] --- Roles: BOM Manager, Project Manager, Policy Violation Reviewer, Project Code Scanner, Security Manager, Project Viewer
2020-04-17 07:44:06 DEBUG [main] --- Group:
2020-04-17 07:44:06 DEBUG [main] --- Test Connection to Black Duck is set to 'true' so Detect will not run.
2020-04-17 07:44:06 INFO [main] --- No products to run, Detect is complete.
2020-04-17 07:44:06 DEBUG [main] --- Detect boot completed.
2020-04-17 07:44:06 DEBUG [main] --- Detect will NOT attempt to run.
2020-04-17 07:44:06 INFO [main] --- Creating status file: output/runs/2020-04-17-07-44-02-908/status/status.json
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown begin.
2020-04-17 07:44:06 DEBUG [main] --- Detect will cleanup.
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up: /app/output/runs/2020-04-17-07-44-02-908/status
2020-04-17 07:44:06 INFO [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown completed.
2020-04-17 07:44:06 DEBUG [main] --- All Detect actions completed.
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- ======== Detect Status ========
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- Overall Status: SUCCESS
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- ===============================
2020-04-17 07:44:06 INFO [main] ---
2020-04-17 07:44:06 INFO [main] --- Detect duration: 00h 00m 04s 065ms
Result code of 0, exiting
好吧,经过多次试验和错误,我发现我误解了 detect.test.connection=true 参数。它不是在扫描之前测试与 blackduck 的连接(这是我的理解),而是将检测设置为一种试运行,这样它就不会执行和检测器等。因此省略参数解决了我的问题。
blackduck.url="https://hostname.com"
detect.maven.path="Maven/3.3.9/bin/mvnSynopsys"
detect.force.success=true
detect.project.name="Myproject"
detect.project.version.name="projectversion"
blackduck.trust.cert=true
detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING
detect.blackduck.signature.scanner.exclusion.patterns="excluded files"
logging.level.com.synopsys.integration=INFO
blackduck.offline.mode=false
detect.output.path="scanDirPath"
detect.maven.build.command="-Drepo.id=repopath -Dmaven.repo.local=mavenlocalrepo"
blackduck.api.token=XXX