如何使用 Synopsys 检测扫描 Java Maven 项目

How to scan Java Maven project using Synopsys detect

我的任务是了解 blackduck 的工作原理以及它如何用于扫描基于 Maven 的 Java 项目。到目前为止,据我所知,最好的方法是为此使用 Synopsys detect。因此,我创建了一个 application.properties 文件并尝试扫描一个基于 Maven 的项目。问题是,它什么都不做。我错过了什么?

这是我的 application.properties:

blackduck.url=xxx
detect.project.name=MyProject
blackduck.api.token=xxx
detect.test.connection=true
blackduck.trust.cert=true
detect.bash.path=/usr/bin/bash
detect.bdio.output.path=output
detect.output.path=output
detect.java.path=/usr/bin/java
detect.maven.path=/usr/bin/mvn
#detect.cleanup=false
detect.required.detector.types=MAVEN
detect.notices.report=true
logging.level.com.synopsys.integration=DEBUG
detect.source.path=/ap
detect.tools=SIGNATURE_SCAN,BINARY_SCAN
detect.detector.search.depth=5

输出结果如下:

Detect Shell Script 2.3.0                                                                                                                                                                   
Will look for : https://sig-repo.synopsys.com/bds-integrations-release/com/synopsys/integration/synopsys-detect/6.2.1/synopsys-detect-6.2.1.jar                                             
You have already downloaded the latest file, so the local file will be used.                                                                                                                
Java Source: PATH                                                                                                                                                                           
running Detect: "java"  -jar "/tmp/synopsys-detect-6.2.1.jar"                                                                                                                               
______     _            _                                                                                                                                                                   
|  _  \   | |          | |                                                                                                                                                                  
| | | |___| |_ ___  ___| |_                                                                                                                                                                 
| | | / _ \ __/ _ \/ __| __|                                                                                                                                                                
| |/ /  __/ ||  __/ (__| |_                                                                                                                                                                 
|___/ \___|\__\___|\___|\__|                                                                                                                                                                

WARNING: An illegal reflective access operation has occurred                                                                                                                                
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (jar:file:/tmp/synopsys-detect-6.2.1.jar!/BOOT-INF/lib/groovy-all-2.4.12.jar!/) to method java.lang.Object.
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass                                                                                    
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations                                                                                       
WARNING: All illegal access operations will be denied in a future release                                                                                                                   
2020-04-17 07:44:02 DEBUG [main] --- Initializing detect.                                                                                                                                   
2020-04-17 07:44:02 DEBUG [main] --- You seem to be running in a LINUX operating system.                                                                                                    
2020-04-17 07:44:02 DEBUG [main] --- Detect boot begin.                                                                                                                                     

Detect Version: 6.2.1                                                                                                                                                                       

2020-04-17 07:44:03 DEBUG [main] --- Configuration processed completely.                                                                                                                    
2020-04-17 07:44:03 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:03 INFO  [main] --- Current property values:                                                                                                                               
2020-04-17 07:44:03 INFO  [main] --- --property = value [notes]                                                                                                                             
2020-04-17 07:44:03 INFO  [main] --- ------------------------------------------------------------                                                                                           
2020-04-17 07:44:03 INFO  [main] --- blackduck.api.token = **************************************************************************************************** [applicationConfig: [file:./
]                                                                                                                                                                                           

2020-04-17 07:44:03 INFO  [main] --- blackduck.trust.cert = true [applicationConfig: [file:./application.properties]]                                                                       
2020-04-17 07:44:03 INFO  [main] --- blackduck.url = xxx   [applicationConfig: [file:./application.properties]]                                                                      
2020-04-17 07:44:03 INFO  [main] --- detect.bash.path = /usr/bin/bash [applicationConfig: [file:./application.properties]]                                                                  
2020-04-17 07:44:03 INFO  [main] --- detect.bdio.output.path = output [applicationConfig: [file:./application.properties]]                                                                  
2020-04-17 07:44:03 INFO  [main] --- detect.detector.search.depth = 5 [applicationConfig: [file:./application.properties]]                                                                  
2020-04-17 07:44:03 INFO  [main] --- detect.java.path = /usr/bin/java [applicationConfig: [file:./application.properties]]                                                                  
2020-04-17 07:44:03 INFO  [main] --- detect.maven.build.command = clean install [applicationConfig: [file:./application.properties]]                                                        
2020-04-17 07:44:03 INFO  [main] --- detect.maven.path = /usr/bin/mvn [applicationConfig: [file:./application.properties]]                                                                  
2020-04-17 07:44:03 INFO  [main] --- detect.notices.report = true [applicationConfig: [file:./application.properties]]                                                                      
2020-04-17 07:44:03 INFO  [main] --- detect.output.path = output [applicationConfig: [file:./application.properties]]                                                                       
2020-04-17 07:44:03 INFO  [main] --- detect.project.name = MyProject [applicationConfig: [file:./application.properties]]                                                                   
2020-04-17 07:44:03 INFO  [main] --- detect.required.detector.types = MAVEN [applicationConfig: [file:./application.properties]]                                                            
2020-04-17 07:44:03 INFO  [main] --- detect.source.path = /app [applicationConfig: [file:./application.properties]]                                                                         
2020-04-17 07:44:03 INFO  [main] --- detect.test.connection = true [applicationConfig: [file:./application.properties]]                                                                     
2020-04-17 07:44:03 INFO  [main] --- detect.tools = SIGNATURE_SCAN,BINARY_SCAN [applicationConfig: [file:./application.properties]]                                                         
2020-04-17 07:44:03 INFO  [main] --- logging.level.com.synopsys.integration = DEBUG [applicationConfig: [file:./application.properties]]                                                    
2020-04-17 07:44:03 INFO  [main] --- ------------------------------------------------------------                                                                                           
2020-04-17 07:44:03 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:03 DEBUG [main] --- Initializing Detect.                                                                                                                                   
2020-04-17 07:44:03 INFO  [main] --- Tilde's will be automatically resolved to USER HOME.                                                                                                   
2020-04-17 07:44:03 INFO  [main] --- Source directory: /app                                                                                                                                 
2020-04-17 07:44:03 INFO  [main] --- Output directory: /app/output                                                                                                                          
2020-04-17 07:44:03 INFO  [main] --- Run directory: /app/output/runs/2020-04-17-07-44-02-908                                                                                                
2020-04-17 07:44:03 DEBUG [main] --- Main boot completed. Deciding what Detect should do.                                                                                                   
2020-04-17 07:44:03 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:03 DEBUG [main] --- Black Duck will run: A Black Duck url was found.                                                                                                       
2020-04-17 07:44:03 DEBUG [main] --- Polaris will NOT run because it is excluded.                                                                                                           
2020-04-17 07:44:03 DEBUG [main] --- Decided what products will be run. Starting product boot.                                                                                              
2020-04-17 07:44:03 DEBUG [main] --- Detect product boot start.                                                                                                                             
2020-04-17 07:44:03 DEBUG [main] --- Will boot Black Duck product.                                                                                                                          
2020-04-17 07:44:04 DEBUG [main] --- Detect will check communication with the Black Duck server.                                                                                            
2020-04-17 07:44:04 INFO  [main] --- Connection to the Black Duck server was successful.                                                                                                    
2020-04-17 07:44:04 WARN  [main] --- Automatically trusting server certificates - not recommended for production use.                                                                       
2020-04-17 07:44:05 INFO  [main] --- Successfully connected to Black Duck (version 2019.6.0)!                                                                                               
2020-04-17 07:44:06 DEBUG [main] --- Connected as: xxx                                                                                                                                  
2020-04-17 07:44:06 DEBUG [main] --- Roles: BOM Manager, Project Manager, Policy Violation Reviewer, Project Code Scanner, Security Manager, Project Viewer                                 
2020-04-17 07:44:06 DEBUG [main] --- Group:                                                                                                                                                 
2020-04-17 07:44:06 DEBUG [main] --- Test Connection to Black Duck is set to 'true' so Detect will not run.                                                                                 
2020-04-17 07:44:06 INFO  [main] --- No products to run, Detect is complete.                                                                                                                
2020-04-17 07:44:06 DEBUG [main] --- Detect boot completed.                                                                                                                                 
2020-04-17 07:44:06 DEBUG [main] --- Detect will NOT attempt to run.                                                                                                                        
2020-04-17 07:44:06 INFO  [main] --- Creating status file: output/runs/2020-04-17-07-44-02-908/status/status.json                                                                           
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown begin.                                                                                                                                 
2020-04-17 07:44:06 DEBUG [main] --- Detect will cleanup.                                                                                                                                   
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908                                                                                        
2020-04-17 07:44:06 DEBUG [main] --- Cleaning up: /app/output/runs/2020-04-17-07-44-02-908/status                                                                                           
2020-04-17 07:44:06 INFO  [main] --- Cleaning up directory: /app/output/runs/2020-04-17-07-44-02-908                                                                                        
2020-04-17 07:44:06 DEBUG [main] --- Detect shutdown completed.                                                                                                                             
2020-04-17 07:44:06 DEBUG [main] --- All Detect actions completed.                                                                                                                          
2020-04-17 07:44:06 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:06 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:06 INFO  [main] --- ======== Detect Status ========                                                                                                                        
2020-04-17 07:44:06 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:06 INFO  [main] --- Overall Status: SUCCESS                                                                                                                                
2020-04-17 07:44:06 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:06 INFO  [main] --- ===============================                                                                                                                        
2020-04-17 07:44:06 INFO  [main] ---                                                                                                                                                        
2020-04-17 07:44:06 INFO  [main] --- Detect duration: 00h 00m 04s 065ms                                                                                                                     
Result code of 0, exiting      

好吧,经过多次试验和错误,我发现我误解了 detect.test.connection=true 参数。它不是在扫描之前测试与 blackduck 的连接(这是我的理解),而是将检测设置为一种试运行,这样它就不会执行和检测器等。因此省略参数解决了我的问题。

blackduck.url="https://hostname.com"
detect.maven.path="Maven/3.3.9/bin/mvnSynopsys"
detect.force.success=true 
detect.project.name="Myproject"
detect.project.version.name="projectversion"
blackduck.trust.cert=true
detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING
detect.blackduck.signature.scanner.exclusion.patterns="excluded files"
logging.level.com.synopsys.integration=INFO 
blackduck.offline.mode=false   
detect.output.path="scanDirPath"
detect.maven.build.command="-Drepo.id=repopath -Dmaven.repo.local=mavenlocalrepo"
blackduck.api.token=XXX