From b8422398f78b997294eae82758d55bbcc197649e Mon Sep 17 00:00:00 2001 From: ShaoHua <345265198@qqcom> Date: Tue, 2 Dec 2025 22:04:38 +0800 Subject: [PATCH] fix workflow: remove github dependency + duplicate scan --- .gitea/workflows/sonar-scan.yml | 73 ++++++++++++++++++++++----------- 1 file changed, 49 insertions(+), 24 deletions(-) diff --git a/.gitea/workflows/sonar-scan.yml b/.gitea/workflows/sonar-scan.yml index 02ee6e4..fb722fe 100644 --- a/.gitea/workflows/sonar-scan.yml +++ b/.gitea/workflows/sonar-scan.yml @@ -29,38 +29,63 @@ jobs: dotnet restore dotnet build --configuration Release - # 官方标准.NET扫描流程(替换原步骤) - - name: Run SonarQube Scan (Official .NET Flow) + # 步骤2:SonarQube 扫描(含代码+依赖漏洞) + - name: SonarQube Full Scan run: | dotnet tool install --global dotnet-sonarscanner dotnet sonarscanner begin ` - /k:"sqp_28b681b0124003c4393fa03c0a336875539e22c2" ` + /k:"${{ secrets.SONAR_TOKEN }}" ` /d:sonar.host.url="http://127.0.0.1:9000" ` /d:sonar.login="${{ secrets.SONAR_TOKEN }}" ` /d:sonar.sources="./" ` /d:sonar.language="csharp" ` /d:sonar.exclusions="**/obj/**,**/bin/Debug/**" ` - /d:sonar.coverage.exclusions="**/Test/**,**/*.Tests.cs" - - /d:sonar.dependencyCheck.enabled=true ` - /d:sonar.dependencyCheck.nuget.enabled=true ` - /d:sonar.dependencyCheck.reportPath="./dependency-check-report.xml" + /d:sonar.dependencyCheck.enabled=true dotnet build --configuration Release dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" - # 步骤3:OWASP Dependency-Check 专业 NuGet 漏洞扫描(不变) - - name: OWASP NuGet Dependency Vulnerability Scan + + # 步骤3:拉取 SonarQube Blocker 级问题(PowerShell 脚本) + - name: Fetch SonarQube Blocker Issues + id: fetch_issues run: | - dependency-check.bat ` - --scan "./" ` - --format HTML ` - --format XML ` - --out "./dependency-scan-results" ` - --suppression "./.dependency-check-suppression.xml" ` - --failOnCVSS 7 - # 步骤4:上传报告到 Gitea Actions(官方工具,无 404) - - name: Upload Dependency Scan Report to Gitea Actions - uses: gitea.com/actions/upload-artifact@v4 # Gitea 官方维护,兼容无问题 - with: - name: dependency-scan-report # 附件名称(下载时显示) - path: ./dependency-scan-results/ # 要上传的报告目录(含 HTML/XML 报告) - retention-days: 30 # 报告留存 30 天(可选,默认永久) \ No newline at end of file + # SonarQube API 地址(获取 Blockeer 级问题) + $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?project=${{ secrets.SONAR_TOKEN }}&severities=BLOCKER&statuses=OPEN" + # 调用 API 拉取数据 + $response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{ + "Authorization" = "Bearer ${{ secrets.SONAR_API_TOKEN }}" + } + # 输出问题数量 + Write-Host "发现 Blocker 级问题:$($response.total) 个" + # 将问题数据存入环境变量(供下一步使用) + $issuesJson = $response.issues | ConvertTo-Json -Compress + echo "ISSUES_JSON=$issuesJson" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + + # 步骤4:自动创建 Gitea Bug 议题 + - name: Create Gitea Bug Issues + if: fromJson(env.ISSUES_JSON).Count -gt 0 # 有 Blocker 问题才执行 + run: | + $issues = $env:ISSUES_JSON | ConvertFrom-Json + $giteaApiUrl = "https://git.we965.cn/api/v1/repos/learning/VectorDBDemo/issues" # Gitea 仓库 API 地址 + foreach ($issue in $issues) { + # 构造 Bug 内容(包含 SonarQube 问题详情) + $issueBody = @" + ## SonarQube Blocker 级问题自动创建 + - **问题 ID**:$($issue.key) + - **问题类型**:$($issue.type) + - **影响文件**:$($issue.component -replace '.*:', '') + - **行号**:$($issue.line) + - **问题描述**:$($issue.message) + - **修复建议**:$($issue.actions.fixNewValue ?? '无明确修复建议,请查看 SonarQube 详情') + - **SonarQube 链接**:http://127.0.0.1:9000/project/issues?id=${{ secrets.SONAR_TOKEN }}&open=$($issue.key) + "@ + # 调用 Gitea API 创建议题(标签设为 Bug) + Invoke-RestMethod -Uri $giteaApiUrl -Method Post -Headers @{ + "Authorization" = "token ${{ secrets.GITEAAPITOKEN }}" + "Content-Type" = "application/json" + } -Body (@{ + title = "[BUG] SonarQube Blocker: $($issue.message.Substring(0, [Math]::Min(50, $issue.message.Length)))" # 标题截取前 50 字 + body = $issueBody + labels = @("Bug") # 自动添加 Bug 标签 + } | ConvertTo-Json) + Write-Host "已创建 Gitea Bug:$($issue.key)" + } \ No newline at end of file