Merge pull request #3 from Maskhe/axin

version 1.0.8

CHANGES

@@ -2,6 +2,17 @@ Changelog
 
 =========
 
+Version 1.0.8
+
+- feature  dump dependencies tree to file include / exclude scan result
+- upgrade  upgrade org.apache.httpcomponents:httpclient to 4.5.13
+
+Version 1.0.7
+
+- bugfix   NPE on outputDepToFile
+- feature  only analyze mode
+- feature  dump dependencies tree to file
+
 Version 1.0.6
 
 - feature  change simple-json to gson

README.md

@@ -93,7 +93,7 @@ Maven >= 3.1
     <plugin>
         <groupId>com.immomo.momosec</groupId>
         <artifactId>mosec-maven-plugin</artifactId>
-        <version>1.0.7</version>
+        <version>1.0.8</version>
         <executions>
             <execution>
                 <id>test</id>
@@ -144,7 +144,7 @@ mosec:test
       User property: onlyProvenance
 
     outputDepToFile (Default: )
-      输出依赖树到文件
+      输出依赖树到文件，如果用户设置了onlyAnalyze=true则仅输出依赖树，否则输出依赖树以及漏洞检查结果
       User property: outputDepToFile
 
     severityLevel (Default: High)
@@ -193,7 +193,7 @@ MOSEC-MAVEN-PLUGIN使用`org.apache.maven:maven-core`组件中提供的`aether-a
 4.在另一个maven工程中执行如下命令
 
 ```shell script
-> mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.7:test
+> mvnDebug com.immomo.momosec:mosec-maven-plugin:1.0.8:test
 ```
 
-5.回到Intellij中，下断点，开始Debug
+5.回到Intellij中，下断点，开始Debug

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar.md5

@@ -0,0 +1 @@
+eaab7df555e60240e4fa10a6009c8397

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.jar.sha1

@@ -0,0 +1 @@
+a498dbf4f6979fb752d846d6321b2967a0997bf7

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom

@@ -0,0 +1,124 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <prerequisites>
+    <maven>3.1.0</maven>
+  </prerequisites>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>mosec-maven-plugin</artifactId>
+  <version>1.0.8</version>
+  <packaging>maven-plugin</packaging>
+
+  <name>Mosec Maven Plugin</name>
+  <description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
+
+  <developers>
+    <developer>
+      <name>retanoj</name>
+      <email>mmsrc@immomo.com</email>
+    </developer>
+  </developers>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <mavenVersion>3.3.9</mavenVersion>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-core</artifactId>
+      <version>${mavenVersion}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.plugin-tools</groupId>
+      <artifactId>maven-plugin-annotations</artifactId>
+      <version>3.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.8.5</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>4.5.13</version>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.apache.maven.plugin-testing</groupId>
+      <artifactId>maven-plugin-testing-harness</artifactId>
+      <version>3.3.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>2.28.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-compat</artifactId>
+      <version>3.3.9</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-plugin-plugin</artifactId>
+        <version>3.5</version>
+        <configuration>
+          <goalPrefix>mosec</goalPrefix>
+          <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
+        </configuration>
+        <executions>
+          <execution>
+            <id>mojo-descriptor</id>
+            <goals>
+              <goal>descriptor</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>help-goal</id>
+            <goals>
+              <goal>helpmojo</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.6.2</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+          <compilerArgument>-Xlint</compilerArgument>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <distributionManagement>
+    <repository>
+      <id>internal</id>
+      <url>file://mvn-repo</url>
+    </repository>
+  </distributionManagement>
+</project>

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom.md5

@@ -0,0 +1 @@
+a6c1f8d0cffbb61f3287950aa4cf1844

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.8/mosec-maven-plugin-1.0.8.pom.sha1

@@ -0,0 +1 @@
+085580bdcd35aec853378a0752979b5a94352b5e

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml

@@ -3,11 +3,12 @@
   <groupId>com.immomo.momosec</groupId>
   <artifactId>mosec-maven-plugin</artifactId>
   <versioning>
-    <latest>1.0.7</latest>
+    <latest>1.0.8</latest>
-    <release>1.0.7</release>
+    <release>1.0.8</release>
     <versions>
       <version>1.0.7</version>
+      <version>1.0.8</version>
     </versions>
-    <lastUpdated>20210603114400</lastUpdated>
+    <lastUpdated>20210621033628</lastUpdated>
   </versioning>
 </metadata>

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.md5

@@ -1 +1 @@
-9a19947fd891260a434b54caab6706ea
+95c17d487c921627a9b97445e2a00f47

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.sha1

@@ -1 +1 @@
-7229e831d912dcebec125e09a6fd9dee76fea894
+4f2ce91855db9e696891caa64a322b381bef5894

pom.xml

@@ -8,7 +8,7 @@
 
   <groupId>com.immomo.momosec</groupId>
   <artifactId>mosec-maven-plugin</artifactId>
-  <version>1.0.7</version>
+  <version>1.0.8</version>
   <packaging>maven-plugin</packaging>
 
   <name>Mosec Maven Plugin</name>
@@ -46,7 +46,7 @@
     <dependency>
       <groupId>org.apache.httpcomponents</groupId>
       <artifactId>httpclient</artifactId>
-      <version>4.5.10</version>
+      <version>4.5.13</version>
     </dependency>
 
 

src/main/java/com/immomo/momosec/maven/plugins/MosecTest.java

@@ -34,6 +34,8 @@ import org.eclipse.aether.RepositorySystemSession;
 import org.eclipse.aether.collection.DependencyCollectionException;
 import org.eclipse.aether.repository.RemoteRepository;
 
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -97,7 +99,7 @@ public class MosecTest extends AbstractMojo {
     private String outputDepToFile;
 
     /**
-     * 仅分析依赖，不上报
+     * 仅分析依赖，不进行漏洞检查
      */
     @Parameter(property = "onlyAnalyze", defaultValue = "false")
     private Boolean onlyAnalyze;
@@ -146,11 +148,11 @@ public class MosecTest extends AbstractMojo {
             projectTree.addProperty("severityLevel", severityLevel);
             String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
             getLog().debug(jsonDepTree);
-            if (outputDepToFile != null && !"".equals(outputDepToFile)) {
-                writeToFile(outputDepToFile, jsonDepTree);
-            }
 
             if (Boolean.TRUE.equals(onlyAnalyze)) {
+                if (!"".equals(outputDepToFile) && outputDepToFile != null) {
+                    writeToFile(outputDepToFile, jsonDepTree);
+                }
                 getLog().info("onlyAnalyze mode, Done.");
                 return;
             }
@@ -168,8 +170,18 @@ public class MosecTest extends AbstractMojo {
                 throw new NetworkErrorException(response.getStatusLine().getReasonPhrase());
             }
 
+            JsonParser parser = new JsonParser();
+            JsonObject responseJson;
+            try {
+                responseJson = parser.parse(new BufferedReader(new InputStreamReader(response.getEntity().getContent()))).getAsJsonObject();
+            } catch (JsonParseException | IllegalStateException e) {
+                throw new NetworkErrorException(Constants.ERROR_ON_API);
+            }
+            if (!"".equals(outputDepToFile) && outputDepToFile != null) {
+                writeToFile(outputDepToFile, jsonDepTree, responseJson);
+            }
             Renderer renderer = new Renderer(getLog(), failOnVuln);
-            renderer.renderResponse(response.getEntity().getContent());
+            renderer.renderResponse(responseJson);
 
         } catch (DependencyCollectionException e) {
             throw new MojoFailureException(e.getMessage());

src/main/java/com/immomo/momosec/maven/plugins/Renderer.java

@@ -34,15 +34,7 @@ public class Renderer {
         this.failOnVuln = failOnVuln;
     }
 
-    public void renderResponse(InputStream in) throws NetworkErrorException, FoundVulnerableException {
+    public void renderResponse(JsonObject responseJson) throws NetworkErrorException, FoundVulnerableException {
-        JsonParser parser = new JsonParser();
-        JsonObject responseJson;
-        try {
-            responseJson = parser.parse(new BufferedReader(new InputStreamReader(in))).getAsJsonObject();
-        } catch (JsonParseException | IllegalStateException e) {
-            throw new NetworkErrorException(Constants.ERROR_ON_API);
-        }
-
         if(responseJson.get("ok") != null && responseJson.get("ok").getAsBoolean()) {
             String ok = "✓ Tested %s dependencies, no vulnerable found.";
             getLog().info(logHelper.strongInfo(String.format(ok, responseJson.get("dependencyCount").getAsString())));
@@ -100,4 +92,22 @@ public class Renderer {
         outputStream.write(jsonTree.getBytes());
         outputStream.close();
     }
+
+    public static void writeToFile(String filename, String jsonTree, JsonObject responseJson) throws IOException, NetworkErrorException {
+        File file = new File(filename);
+        JsonParser parser = new JsonParser();
+        JsonObject result = parser.parse(jsonTree).getAsJsonObject();
+        result.add("ok", responseJson.get("ok"));
+        result.add("dependencyCount", responseJson.get("dependencyCount"));
+        result.add("vulnerabilities", responseJson.get("vulnerabilities"));
+        if (!file.exists()) {
+            File dir = new File(file.getAbsoluteFile().getParent());
+            dir.mkdirs();
+            file.createNewFile();
+        }
+        String jsonResult = new GsonBuilder().setPrettyPrinting().create().toJson(result);
+        FileOutputStream outputStream = new FileOutputStream(file);
+        outputStream.write(jsonResult.getBytes());
+        outputStream.close();
+    }
 }

src/test/java/com/immomo/momosec/maven/plugins/TestRenderer.java

@@ -15,6 +15,7 @@
  */
 package com.immomo.momosec.maven.plugins;
 
+import com.google.gson.JsonParser;
 import com.immomo.momosec.maven.plugins.exceptions.FoundVulnerableException;
 import com.immomo.momosec.maven.plugins.exceptions.NetworkErrorException;
 import org.apache.maven.monitor.logging.DefaultLog;
@@ -45,7 +46,8 @@ public class TestRenderer {
     private final String no_vulnerable_response =
         "{" +
         "  \"ok\": true," +
-        "  \"dependencyCount\": 3" +
+        "  \"dependencyCount\": 3," +
+        "  \"vulnerabilities\": []" +
         "}";
 
     private final String vulnerable_response =
@@ -74,20 +76,11 @@ public class TestRenderer {
         System.setErr(originalErr);
     }
 
-
-    @Test
-    public void renderResponseTest_ErrorJson() throws Exception {
-        exceptionRule.expect(NetworkErrorException.class);
-        exceptionRule.expectMessage(Constants.ERROR_ON_API);
-
-        Renderer renderer = new Renderer(log, true);
-        renderer.renderResponse(new ByteArrayInputStream("_".getBytes()));
-    }
-
     @Test
     public void renderResponseTest_NotFoundVuln() throws Exception {
         Renderer renderer = new Renderer(log, true);
-        renderer.renderResponse(new ByteArrayInputStream(no_vulnerable_response.getBytes()));
+        JsonParser parser = new JsonParser();
+        renderer.renderResponse(parser.parse(no_vulnerable_response).getAsJsonObject());
 
         String expect = "[INFO] " + logHelper.strongInfo("✓ Tested 3 dependencies, no vulnerable found.") + "\n";
         Assert.assertEquals(expect, outContent.toString());
@@ -99,13 +92,15 @@ public class TestRenderer {
         exceptionRule.expectMessage(Constants.ERROR_ON_VULNERABLE);
 
         Renderer renderer = new Renderer(log, true);
-        renderer.renderResponse(new ByteArrayInputStream(vulnerable_response.getBytes()));
+        JsonParser parser = new JsonParser();
+        renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
     }
 
     @Test
     public void renderResponseTest_FoundVulnWithoutFailOnVuln() throws Exception {
         Renderer renderer = new Renderer(log, false);
-        renderer.renderResponse(new ByteArrayInputStream(vulnerable_response.getBytes()));
+        JsonParser parser = new JsonParser();
+        renderer.renderResponse(parser.parse(vulnerable_response).getAsJsonObject());
 
         String expect =
                 "[WARNING] " + logHelper.strongError("✗ High severity (Fake Vulnerable - CVE-0001-0001) found on com.study.foo:bar@1.0.0") + "\n" +