使用Xcalscan扫描JAVA项目

Xcalscan可以通过对JAVA软件项目的源代码进行质量和安全检测，检测软件代码的编程规范、编程漏洞、数据流、业务流，从而实现JAVA项目源代码质量审查与安全检查的目标。

1 环境

1.1 Ubuntu 16.04；
1.2 java 1.8；
1.3 Maven/Gradle插件；
1.4 XcalScan 1.2；

2 编辑maven工程

2.1 maven工程

新建maven工程或者在现有maven工程上增加扫描配置，新建maven工程参考如下：
Maven安装与配置(Linux)：https://blog.csdn.net/testshaw/article/details/107378649

2.2 编辑pom.xml文件

添加xvsa-maven-plugin：

  <build>
      <plugins>
        <plugin>
          <groupId>io.xc5</groupId>
          <artifactId>xvsa-maven-plugin</artifactId>
          <version>1.39</version>
        </plugin>
      </plugins>
  </build>

3 编辑gradle工程

3.1 gradle工程

新建gradle工程或者在现有gradle工程上增加扫描配置，新建gradle工程参考如下：
Gradle安装与配置(Linux)：https://blog.csdn.net/testshaw/article/details/107379581

3.2 编辑build.grdle文件

Groovy构建，修改脚本文件（build.gradle）：

// put the buildscript to the top
buildscript {
  // do not put below with exists repositories/dependencies block
  repositories {
    mavenLocal()
  }
  dependencies {
    classpath group: 'io.xc5.plugin',
    name: 'xvsa',
    version: '1.0'
  }
}

// apply plugin, put at the bottom
allprojects {
    apply plugin: "io.xc5.plugin.gradle"
}

Kotline构建，修改脚本文件(build.gradle.kts)：

// put the buildscript to the top, combined with exits buildscript block
buildscript {
    repositories {
        mavenLocal()
    }

    dependencies {
        classpath("io.xc5.plugin:xvsa:1.0")
    }

}


// apply plugin, put at the bottom
allprojects {
    apply(plugin = "io.xc5.plugin.gradle")
}

4 编辑测试程序

4.1 mavendemo工程

package mavendemo;

/**
 * Hello world!
 *
 */
public class App 
{
    public static void main( String[] args )
    {
        System.out.println( "Hello World!" );
    }
}

4.2 gradledemo工程

$ vim src/main/java/gradledemo/App.java

/*
 * This Java source file was generated by the Gradle 'init' task.
 */
package gradledemo;

public class App {
    public String getGreeting() {
        return "Hello world.";
    }

    public static void main(String[] args) {
        System.out.println(new App().getGreeting());
    }
}

5 扫描项目

5.1 mavendemo工程

编辑项目扫描配置文件

$ cd ~~/xcalagent/
$ vim workdir/mavendemo.conf

{
    "projectId": "mavendemo1",
    "projectName": "mavendemo",
    "projectPath": "/home/uftp/02_opensource/02_java/mavendemo",
    "builderPath": "/home/uftp/02_opensource/02_java/gradledemo",
    "uploadSourceCode": "Y",
    "scanConfig":{
        "lang":"java",
        "build": "mvn",
        "jobQueueName": "shaw-agent"
    }
}

启动项目扫描：

$ bash ./ci/xcal-scanner.sh mavendemo
Workdir: /home/shaw/agent/xcalagent-2020-07-12/xcalagent
WARNING:root:Jaeger seems missing, skipping Jaeger initialization
2020-07-16 02:55:59,675 - INFO     - process_arguments: begin to process arguments
2020-07-16 02:55:59,676 - TRACE    - command_line_runner  trying to login to server ...
2020-07-16 02:55:59,716 - TRACE    - command_line_runner  login completed.
2020-07-16 02:55:59,741 - TRACE    - command_line_runner  creating project scan task ...
2020-07-16 02:55:59,791 - TRACE    - command_line_runner  preparing the job configuration ...
2020-07-16 02:55:59,791 - TRACE    - command_line_runner  performing offline preprocessing ...
2020-07-16 02:55:59,793 - TRACE    - Starting Java Prescan Task 
2020-07-16 02:55:59,794 - TRACE    - Composed command-line to run : mvn io.xc5:xvsa-maven-plugin:1.39:gather -Dxvsa.jfe.skip=true -Dxvsa.dir= -Dxvsa.phantom=true -Dxvsa.result=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/dfd16aea-93f8-4b03-9640-3c4c49f19c36/xvsa-out -Dxvsa.srclist=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/dfd16aea-93f8-4b03-9640-3c4c49f19c36/source_files.json -X  
2020-07-16 02:55:59,798 - TRACE    - Invoking Maven process to files ('invocation line:', 'mvn io.xc5:xvsa-maven-plugin:1.39:gather -Dxvsa.jfe.skip=true -Dxvsa.dir= -Dxvsa.phantom=true -Dxvsa.result=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/dfd16aea-93f8-4b03-9640-3c4c49f19c36/xvsa-out -Dxvsa.srclist=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/dfd16aea-93f8-4b03-9640-3c4c49f19c36/source_files.json -X ', 'out:', '/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/dfd16aea-93f8-4b03-9640-3c4c49f19c36/javapreprocess.log', 'workdir:', '/home/uftp/02_opensource/02_java/mavendemo')
.......................
2020-07-16 01:19:50,442 - TRACE    - [output] [INFO] ------------------------------------------------------------------------
2020-07-16 01:19:50,442 - TRACE    - [output] [INFO] BUILD SUCCESS
2020-07-16 01:19:50,442 - TRACE    - [output] [INFO] ------------------------------------------------------------------------
2020-07-16 01:19:50,442 - TRACE    - [output] [INFO] Total time: 2.945 s
2020-07-16 01:19:50,442 - TRACE    - [output] [INFO] Finished at: 2020-07-16T01:19:50-07:00
2020-07-16 01:19:50,516 - TRACE    - [output] [INFO] Final Memory: 13M/222M
2020-07-16 01:19:50,516 - TRACE    - [output] [INFO] ------------------------------------------------------------------------
2020-07-16 01:19:55,804 - TRACE    - command_line_runner  offline preprocessing finished.

5.2 gradledemo工程

编辑项目扫描配置文件

$ cd ~~/xcalagent/
$ vim workdir/gradledemo.conf

{
    "projectId": "gradledemo",
    "projectName": "gradedemo",
    "projectPath": "/home/uftp/02_opensource/02_java/gradledemo",
    "uploadSourceCode": "Y",
    "scanConfig":{
        "lang":"java",
        "build": "gradle",
        "builderPath": "/home/uftp/02_opensource/02_java/gradledemo/gradlew",
        "jobQueueName": "shaw-agent"
    }
}

启动项目扫描：

$ bash ./ci/xcal-scanner.sh gradledemo
Workdir: /home/shaw/agent/xcalagent-2020-07-12/xcalagent
WARNING:root:Jaeger seems missing, skipping Jaeger initialization
2020-07-15 19:23:32,194 - INFO     - process_arguments: begin to process arguments
2020-07-15 19:23:32,196 - TRACE    - command_line_runner  trying to login to server ...
2020-07-15 19:23:32,264 - TRACE    - command_line_runner  login completed.
2020-07-15 19:23:32,352 - TRACE    - command_line_runner  creating project scan task ...
2020-07-15 19:23:32,398 - TRACE    - command_line_runner  preparing the job configuration ...
2020-07-15 19:23:32,398 - TRACE    - command_line_runner  performing offline preprocessing ...
2020-07-15 19:23:32,407 - TRACE    - Starting Java Prescan Task 
2020-07-15 19:23:32,411 - TRACE    - Composed command-line to run : /home/uftp/02_opensource/02_java/gradledemo/gradlew xvsa -PXVSA_JFE_SKIP=true -PXVSA_HOME= -PXVSA_GRADLE_OUTPUT=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/920ee5af-7b40-4fbf-9ca7-950f36f0776a/xvsa-out -PXVSA_SRC_LIST=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/920ee5af-7b40-4fbf-9ca7-950f36f0776a/source_files.json --info  
2020-07-15 19:23:32,412 - TRACE    - Invoking Maven process to files ('invocation line:', '/home/uftp/02_opensource/02_java/gradledemo/gradlew xvsa -PXVSA_JFE_SKIP=true -PXVSA_HOME= -PXVSA_GRADLE_OUTPUT=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/920ee5af-7b40-4fbf-9ca7-950f36f0776a/xvsa-out -PXVSA_SRC_LIST=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/920ee5af-7b40-4fbf-9ca7-950f36f0776a/source_files.json --info ', 'out:', '/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/920ee5af-7b40-4fbf-9ca7-950f36f0776a/javapreprocess.log', 'workdir:', '/home/uftp/02_opensource/02_java/gradledemo')
2020-07-15 19:23:44,354 - TRACE    - run ScannerConnectorTask completed
2020-07-15 19:23:44,826 - TRACE    - command_line_runner  offline preprocessing finished.

6 webserver上检查扫描结果