1010# 2. 代码风格检查 - 使用 Checkstyle 确保代码风格一致
1111# 3. 静态分析 - 使用 SpotBugs 和 PMD 检测潜在 Bug 和代码质量问题
1212# 4. 单元测试 - 运行所有测试并生成报告
13- # 5. 依赖漏洞扫描 - 检查已知安全漏洞
14- # 6. 代码重复度检查 - 使用 CPD 检测重复代码
13+ # 5. 代码重复度检查 - 使用 CPD 检测重复代码
1514# ============================================================================
1615
1716name : 代码检查
@@ -346,119 +345,7 @@ jobs:
346345 if-no-files-found : warn
347346
348347 # ==========================================================================
349- # Job 5: 依赖漏洞扫描
350- # ==========================================================================
351- dependency-scan :
352- name : 依赖漏洞扫描
353- runs-on : ubuntu-latest
354- needs : build
355-
356- env :
357- NVD_API_KEY : ${{ secrets.NVD_API_KEY }}
358-
359- steps :
360- - name : 检出代码仓库
361- uses : actions/checkout@v4
362-
363- - name : 配置 JDK 17
364- uses : actions/setup-java@v4
365- with :
366- java-version : " 17"
367- distribution : " temurin"
368-
369- - name : 缓存 Gradle 依赖
370- uses : actions/cache@v4
371- with :
372- path : |
373- ~/.gradle/caches
374- ~/.gradle/wrapper
375- key : gradle-${{ runner.os }}-${{ hashFiles('**/*.gradle.kts', 'gradle/wrapper/gradle-wrapper.properties') }}
376- restore-keys : |
377- gradle-${{ runner.os }}-
378-
379- # 缓存 OWASP NVD 数据库,避免每次运行都重新下载
380- - name : 缓存 NVD 数据库
381- uses : actions/cache@v4
382- with :
383- path : |
384- ~/.m2/repository/org/owasp/dependency-check-data/
385- /tmp/dependency-check-data/
386- key : nvd-db-${{ runner.os }}-${{ github.run_id }}
387- restore-keys : |
388- nvd-db-${{ runner.os }}-
389-
390- name : 赋予 Gradlew 可执行权限
391- run : chmod +x gradlew
392-
393- - name : 分析依赖树
394- run : |
395- echo "## 依赖分析" >> $GITHUB_STEP_SUMMARY
396- echo "" >> $GITHUB_STEP_SUMMARY
397- echo '```' >> $GITHUB_STEP_SUMMARY
398- ./gradlew dependencies --no-daemon --configuration runtimeClasspath 2>&1 | head -200 >> $GITHUB_STEP_SUMMARY || true
399- echo '```' >> $GITHUB_STEP_SUMMARY
400-
401- # OWASP 依赖漏洞扫描
402- # 免费申请 NVD API Key:https://nvd.nist.gov/developers/request-an-api-key
403- # 配置方法:GitHub 仓库 → Settings → Secrets → Actions → NVD_API_KEY
404- - name : OWASP 依赖漏洞扫描
405- run : |
406- # 检查是否配置了 NVD API Key
407- if [ -n "$NVD_API_KEY" ]; then
408- echo "✅ 已检测到 NVD API Key,将使用 API Key 加速扫描"
409- else
410- echo "⚠️ 未检测到 NVD API Key,扫描可能会非常缓慢"
411- echo "💡 请前往 https://nvd.nist.gov/developers/request-an-api-key 免费申请"
412- echo "💡 然后在 GitHub 仓库 Settings → Secrets → Actions 中添加 NVD_API_KEY"
413- fi
414-
415- mkdir -p build/reports/dependency-check
416-
417- # 尝试使用 Gradle OWASP 插件运行
418- if ./gradlew tasks --no-daemon --quiet 2>/dev/null | grep -q "dependencyCheckAnalyze"; then
419- echo "检测到项目已配置 OWASP 插件,使用 Gradle 运行..."
420- if [ -n "$NVD_API_KEY" ]; then
421- ./gradlew dependencyCheckAnalyze --no-daemon \
422- -DnvdApiKey=$NVD_API_KEY \
423- -DnvdApiDelay=6000 || true
424- else
425- ./gradlew dependencyCheckAnalyze --no-daemon || true
426- fi
427- else
428- echo "项目未配置 OWASP 插件,使用命令行工具运行..."
429- DC_VERSION="10.0.4"
430- wget -q "https://github.com/jeremylong/DependencyCheck/releases/download/v${DC_VERSION}/dependency-check-${DC_VERSION}-release.zip" -O /tmp/dc.zip
431- unzip -q /tmp/dc.zip -d /tmp/
432-
433- ./gradlew dependencies --no-daemon --write-locks || true
434-
435- # 构建 OWASP 命令参数
436- DC_ARGS="--project Mcpatch2JavaClient"
437- DC_ARGS="$DC_ARGS --scan build/"
438- DC_ARGS="$DC_ARGS --out build/reports/dependency-check"
439- DC_ARGS="$DC_ARGS --format HTML"
440- DC_ARGS="$DC_ARGS --format JSON"
441- DC_ARGS="$DC_ARGS --failOnCVSS 7"
442- DC_ARGS="$DC_ARGS --data /tmp/dependency-check-data"
443-
444- if [ -n "$NVD_API_KEY" ]; then
445- DC_ARGS="$DC_ARGS --nvdApiKey $NVD_API_KEY"
446- fi
447-
448- /tmp/dependency-check/bin/dependency-check.sh $DC_ARGS || true
449- fi
450-
451- name : 上传漏洞扫描报告
452- uses : actions/upload-artifact@v4
453- if : always()
454- with :
455- name : dependency-scan-report
456- path : build/reports/dependency-check/
457- retention-days : 7
458- if-no-files-found : warn
459-
460- # ==========================================================================
461- # Job 6: 代码重复度检查 (CPD)
348+ # Job 5: 代码重复度检查 (CPD)
462349 # ==========================================================================
463350 code-duplication :
464351 name : 代码重复度检查
@@ -525,12 +412,12 @@ jobs:
525412 if-no-files-found : warn
526413
527414 # ==========================================================================
528- # Job 7 : 综合检查结果汇总
415+ # Job 6 : 综合检查结果汇总
529416 # ==========================================================================
530417 check-results :
531418 name : 检查结果汇总
532419 runs-on : ubuntu-latest
533- needs : [build, checkstyle, static-analysis, test, dependency-scan, code-duplication]
420+ needs : [build, checkstyle, static-analysis, test, code-duplication]
534421 if : always()
535422
536423 steps :
@@ -543,7 +430,6 @@ jobs:
543430 CHECKSTYLE_STATUS="${{ needs.checkstyle.result }}"
544431 STATIC_STATUS="${{ needs.static-analysis.result }}"
545432 TEST_STATUS="${{ needs.test.result }}"
546- DEP_STATUS="${{ needs.dependency-scan.result }}"
547433 CPD_STATUS="${{ needs.code-duplication.result }}"
548434
549435 echo "| 检查项 | 状态 |" >> $GITHUB_STEP_SUMMARY
@@ -552,7 +438,6 @@ jobs:
552438 echo "| 代码风格检查 | ${CHECKSTYLE_STATUS} |" >> $GITHUB_STEP_SUMMARY
553439 echo "| 静态分析 | ${STATIC_STATUS} |" >> $GITHUB_STEP_SUMMARY
554440 echo "| 单元测试 | ${TEST_STATUS} |" >> $GITHUB_STEP_SUMMARY
555- echo "| 依赖漏洞扫描 | ${DEP_STATUS} |" >> $GITHUB_STEP_SUMMARY
556441 echo "| 代码重复度检查 | ${CPD_STATUS} |" >> $GITHUB_STEP_SUMMARY
557442 echo "" >> $GITHUB_STEP_SUMMARY
558443
@@ -569,9 +454,5 @@ jobs:
569454 echo "❌ **测试失败**:存在未通过的测试用例。" >> $GITHUB_STEP_SUMMARY
570455 fi
571456
572- if [[ "${DEP_STATUS}" == "failure" ]]; then
573- echo "🚨 **安全漏洞**:发现高危依赖漏洞,请尽快修复!" >> $GITHUB_STEP_SUMMARY
574- fi
575-
576457 echo "" >> $GITHUB_STEP_SUMMARY
577458 echo "> 📋 详细报告可在 Artifacts 中下载查看" >> $GITHUB_STEP_SUMMARY
0 commit comments