OpenSCA-cli
OpenSCA-cli copied to clipboard
XmirrorSecurity
Opensca 扫描时是否可以设置忽略特定路径
Is your feature request related to a problem? Please describe. 在使用 Opensca 扫描我们的项目时,它会包括 JarCollection 目录下的 soot-1.0.jar 文件。这个 JAR 文件是一个测试包,并不包含需要进行安全分析的源代码,因此不应被纳入扫描范围。
当前行为: 在扫描过程中,soot-1.0.jar 文件被包含在扫描结果中,且其路径出现在扫描输出中,例如:
{
"task_info": {
"tool_version": "v3.0.7",
"app_name": "TestCaseDroid",
"size": 0,
"start_time": "2025-04-18 08:26:39",
"end_time": "2025-04-18 08:27:02",
"cost_time": 23.0197382,
"error": "not config vuln database origin"
},
"id": "57178063596617728",
"children": [
{
"vendor": "org.example",
"name": "soot",
"version": "1.0-SNAPSHOT",
"language": "Java",
"id": "57178063596617729",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\JarCollection\\soot-1.0.jar\\META-INF\\maven\\org.example\\soot\\pom.xml\\[org.example:soot:1.0-SNAPSHOT]"
]
},
{
"vendor": "edu.xjtu",
"name": "TestCaseDroid",
"version": "1.2",
"language": "Java",
"id": "57178063596617730",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]"
],
"children": [
{
"vendor": "org.soot-oss",
"name": "soot",
"version": "4.6.0",
"language": "Java",
"id": "57178063596617731",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]"
],
"licenses": [
{
"name": "GNU LESSER GENERAL PUBLIC LICENSE 2.1"
}
],
"children": [
{
"vendor": "commons-io",
"name": "commons-io",
"version": "2.17.0",
"language": "Java",
"id": "57178063596617743",
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]\\[commons-io:commons-io:2.17.0]"
]
},
这并不符合预期,因为该 JAR 文件仅用于测试,不应参与扫描。
Describe the solution you'd like
希望能有一个选项,配置 Opensca 排除特定路径或目录(如 JarCollection 文件夹或具体的 JAR 文件,比如 soot-1.0.jar)不参与扫描。
Describe alternatives you've considered 手动删除以排除,但是比较局限
Additional context Opensca 版本:v3.0.7
项目结构如下:
TestCaseDroid
│
├── .idea
├── JarCollection
│ ├── decompiler.jar
│ └── soot-1.0.jar
├── Lecture
├── README.md
├── src
│ ├── .gitignore
│ ├── LICENSE
└── pom.xml
非常感谢您的回答以及贡献,这个方案我尝试过了,但是无法解决我的我的问题,jar还是会被纳入进来。 config配置
{
// 检测项目路径
// project path
// support http(s)/ftp/file protocol
"path": "",
// 导出报告路径
// report path
// suport ext: html/json/xml/csv/sqlite/cdx/spdx/swid/dsdx
"out": "output.json,output.html",
// 检测日志路径
// log path
"log": "opensca.log",
// opensca 配置项
// opensca optional
"optional": {
// 开启ui
// open ui
"ui": false,
// 相同组件仅保留一条数据 检出路径合并
// delete duplicate components and merge path
"dedup": false,
// 仅检测目录(跳过压缩包)
// only detect directory (skip compress file)
"dir": true,
// 仅保留漏洞组件
// only save components with vulnerability
"vuln": false,
// 开启进度条
// open progress bar
"progress": true,
// 保留开发组件
// save develop components
"dev": true,
// 开启 TLS 验证
// use tls verify, default: false
"tls": false,
// 全局http代理
// global proxy for http requests, eg: http://127.0.0.1:7890
"proxy": ""
},
// 组件仓库配置
// repo config
"repo": {
// maven repo
"maven": [
{
"url": "https://maven.aliyun.com/repository/public",
// 认证信息 没有可不填
// auth info, not required
"username": "",
"password": ""
},
{
"url": "https://repo.maven.apache.org/maven2/"
}
],
// npm repo
"npm": [
{
"url": "https://registry.npmmirror.com"
}
],
// composer repo
"composer": [
{
"url":"https://mirrors.aliyun.com/composer/p2"
}
]
},
// 数据库源
// database origin
"origin": {
// opensca web service url
"url": "https://opensca.xmirror.cn",
// opensca web service token
"token": "",
// opensca saas project id, not required
// "proj": "",
// json dbfile
"json": "",
// mysql origin
"mysql": {
// user:password@tcp(ip:port)/dbname
"dsn": "",
"table": ""
},
// sqlite origin
"sqlite": {
// sqlite dbfile
"dsn": "",
"table": ""
}
}
}
output:
{
"task_info": {
"tool_version": "v3.0.7",
"app_name": "TestCaseDroid",
"size": 0,
"start_time": "2025-04-27 14:22:39",
"end_time": "2025-04-27 14:22:40",
"cost_time": 0.4183353,
"error": "not config vuln database origin"
},
"vendor": "edu.xjtu",
"name": "TestCaseDroid",
"version": "1.2",
"language": "Java",
"id": "57204243175145472",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]"
],
"licenses": [
{
"name": "MIT"
}
],
"children": [
{
"vendor": "org.soot-oss",
"name": "soot",
"version": "4.6.0",
"language": "Java",
"id": "57204243175145473",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]"
],
"licenses": [
{
"name": "GNU LESSER GENERAL PUBLIC LICENSE 2.1"
}
],
"children": [
{
"vendor": "commons-io",
"name": "commons-io",
"version": "2.17.0",
"language": "Java",
"id": "57204243175145485",
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]\\[commons-io:commons-io:2.17.0]"
]{
"task_info": {
"tool_version": "v3.0.7",
"app_name": "TestCaseDroid",
"size": 0,
"start_time": "2025-04-27 14:22:39",
"end_time": "2025-04-27 14:22:40",
"cost_time": 0.4183353,
"error": "not config vuln database origin"
},
"vendor": "edu.xjtu",
"name": "TestCaseDroid",
"version": "1.2",
"language": "Java",
"id": "57204243175145472",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]"
],
"licenses": [
{
"name": "MIT"
}
],
"children": [
{
"vendor": "org.soot-oss",
"name": "soot",
"version": "4.6.0",
"language": "Java",
"id": "57204243175145473",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]"
],
"licenses": [
{
"name": "GNU LESSER GENERAL PUBLIC LICENSE 2.1"
}
],
"children": [
{
"vendor": "commons-io",
"name": "commons-io",
"version": "2.17.0",
"language": "Java",
"id": "57204243175145485",
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]\\[commons-io:commons-io:2.17.0]"
]