feat: SBOM 支持在扫描后输出。

cmd/murphy/internal/common/sbom_format_flag.go

@@ -0,0 +1,33 @@
+package common
+
+import (
+	"fmt"
+	"github.com/spf13/pflag"
+)
+
+
+type SBOMFormatFlag struct {
+	Valid bool
+}
+
+func (t *SBOMFormatFlag) String() string {
+	if !t.Valid {
+		return "invalid"
+	}
+	return "murphysec1.1+json"
+}
+
+func (t *SBOMFormatFlag) Set(s string) error {
+	// temporary implementation
+	if s!="murphysec1.1+json" {
+		return fmt.Errorf("unsupported format: %s", s)
+	}
+	t.Valid = true
+	return nil
+}
+
+func (t *SBOMFormatFlag) Type() string {
+	return "sbomFormatFlag"
+}
+
+var _ pflag.Value = (*SBOMFormatFlag)(nil)

cmd/murphy/internal/scan/cmd.go

@@ -1,6 +1,7 @@
 package scan
 
 import (
+	"bufio"
 	"context"
 	"encoding/json"
 	"errors"
@@ -18,6 +19,8 @@ import (
 	"github.com/murphysecurity/murphysec/utils"
 	"github.com/murphysecurity/murphysec/utils/must"
 	"github.com/spf13/cobra"
+	"io"
+	"os"
 	"path/filepath"
 )
 
@@ -31,6 +34,8 @@ var privateSourceId string
 var privateSourceName string
 var projectTagNames []string
 var concurrentNumber int
+var sbomOutputConfig string
+var sbomOutputType common.SBOMFormatFlag
 
 func Cmd() *cobra.Command {
 	var c cobra.Command
@@ -63,6 +68,8 @@ func DfCmd() *cobra.Command {
 	c.Flags().StringVar(&mavenSettingsPath, "maven-settings", "", "specify the path of maven settings")
 	c.Flags().BoolVar(&onlyTaskId, "only-task-id", false, "print task id after task created, the scan result will not be printed")
 	c.Flags().StringArrayVar(&projectTagNames, "project-tag", make([]string, 0), "specify the tag of the project")
+	c.Flags().StringVar(&sbomOutputConfig, "sbom-output", "", "")
+	c.Flags().Var(&sbomOutputType, "sbom-format", "")
 	return &c
 }
 
@@ -75,6 +82,8 @@ func EnvCmd() *cobra.Command {
 	c.Flags().StringVar(&projectNameCli, "project-name", "", "specify project name")
 	c.Flags().BoolVar(&onlyTaskId, "only-task-id", false, "print task id after task created, the scan result will not be printed")
 	c.Flags().StringArrayVar(&projectTagNames, "project-tag", make([]string, 0), "specify the tag of the project")
+	c.Flags().StringVar(&sbomOutputConfig, "sbom-output", "-", "")
+	c.Flags().Var(&sbomOutputType, "sbom-format", "")
 	return &c
 }
 
@@ -164,20 +173,36 @@ func scanRun(cmd *cobra.Command, args []string) {
 
 func envScanRun(cmd *cobra.Command, args []string) {
 	var ctx = context.TODO()
-	if jsonOutput {
+	if sbomOutputType.Valid {
+		ctx = ui.With(ctx, ui.None)
+	} else if jsonOutput {
 		ctx = ui.With(ctx, ui.IDEA)
 	} else if onlyTaskId {
 		ctx = ui.With(ctx, ui.None)
 	} else {
 		ctx = ui.With(ctx, ui.CLI)
 	}
 	var e error
-	ctx, e = commonInit(ctx)
+	if sbomOutputType.Valid {
+		ctx, e = commonInitNoAPI(ctx)
+	} else {
+		ctx, e = commonInit(ctx)
+	}
 	if e != nil {
 		return
 	}
 	logger := logctx.Use(ctx).Sugar()
-	r, e := envScan(ctx)
+	var r *model.ScanTask
+	if sbomOutputType.Valid {
+		r, e = envScanSbomOnly(ctx)
+		if e != nil {
+			exitcode.Set(1)
+		}
+		doSBOMOnlyPrint(ctx, r)
+		return
+	} else {
+		r, e = envScan(ctx)
+	}
 	if errors.Is(e, inspector.ErrNoWait) {
 		return
 	}
@@ -198,7 +223,10 @@ func envScanRun(cmd *cobra.Command, args []string) {
 func dfScanRun(cmd *cobra.Command, args []string) {
 	var ctx = context.TODO()
 	ctx = scanerr.WithCtx(ctx)
-	if jsonOutput {
+	// todo
+	if sbomOutputConfig != "" && sbomOutputConfig != "-" {
+		ctx = ui.With(ctx, ui.None)
+	} else if jsonOutput {
 		ctx = ui.With(ctx, ui.IDEA)
 	} else if onlyTaskId {
 		ctx = ui.With(ctx, ui.None)
@@ -215,10 +243,18 @@ func dfScanRun(cmd *cobra.Command, args []string) {
 	if e != nil {
 		return
 	}
-	ctx, e = commonInit(ctx)
+	if sbomOutputType.Valid {
+		ctx, e = commonInitNoAPI(ctx)
+	} else {
+		ctx, e = commonInit(ctx)
+	}
 	if e != nil {
 		return
 	}
+	if sbomOutputType.Valid {
+		scanSbomOnly(ctx, scanDir)
+		return
+	}
 	logger := logctx.Use(ctx).Sugar()
 	r, e := scan(ctx, scanDir, model.AccessTypeCli, model.ScanModeSource)
 	if errors.Is(e, inspector.ErrNoWait) {
@@ -335,3 +371,35 @@ func reportIdeError(ctx context.Context, status model.IDEStatus, e error) {
 	}
 	fmt.Println(string(must.A(json.MarshalIndent(resp, "", "  "))))
 }
+
+func doSBOMOnlyPrint(ctx context.Context, task *model.ScanTask) {
+	var logger = logctx.Use(ctx)
+	_ = logger.Sync()
+	if sbomOutputConfig == "" {
+		panic("sbomOutputConfig == \"\"")
+	}
+	var writer io.Writer
+	if sbomOutputConfig == "-" {
+		writer = os.Stdout
+	} else {
+		f, e := os.OpenFile(sbomOutputConfig, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
+		if e != nil {
+			panic(e)
+		}
+		writer = f
+		defer func() {
+			var e = f.Close()
+			if e != nil {
+				panic(e)
+			}
+		}()
+	}
+	var bufioWriter = bufio.NewWriter(writer)
+	var enc = json.NewEncoder(bufioWriter)
+	must.M(bufioWriter.Flush())
+	enc.SetIndent("", "    ")
+	if task.Modules == nil {
+		task.Modules = make([]model.Module, 0)
+	}
+	must.M(enc.Encode(map[string]any{"modules": task.Modules}))
+}

cmd/murphy/internal/scan/scan.go

@@ -24,6 +24,13 @@ import (
 	"go.uber.org/zap"
 )
 
+func envScanSbomOnly(ctx context.Context) (task *model.ScanTask, e error) {
+	task = &model.ScanTask{}
+	ctx = model.WithScanTask(ctx, task)
+	e = envinspection.InspectEnv(ctx)
+	return
+}
+
 func envScan(ctx context.Context) (task *model.ScanTask, e error) {
 	logger := logctx.Use(ctx).Sugar()
 	cv.DisplayScanning(ctx)
@@ -111,6 +118,15 @@ func postScanHook(ctx context.Context) (a any, e error) {
 	return
 }
 
+func scanSbomOnly(ctx context.Context, dir string) {
+	var task = &model.ScanTask{
+		ProjectPath: dir,
+	}
+	ctx = model.WithScanTask(ctx, task)
+	_ = inspector.ManagedInspect(ctx)
+	doSBOMOnlyPrint(ctx, task)
+}
+
 func scan(ctx context.Context, dir string, accessType model.AccessType, mode model.ScanMode) (*model.ScanTask, error) {
 	must.NotNil(ctx)
 	must.True(filepath.IsAbs(dir))