Merge branch 'SCA-374' into v3

yubaichao · yubaichao · commit 1fc8d90b502b · 2026-03-31T14:44:52.000+08:00
diff --git a/api/create_sub_task.go b/api/create_sub_task.go
@@ -28,6 +28,7 @@ type CreateSubTaskRequest struct {
 	ProjectTagNames    []string         `json:"project_tag_names,omitempty"`
 	WebhookAddr        *string          `json:"webhook_addr,omitempty"`
 	WebhookMode        *string          `json:"webhook_mode,omitempty"`
+	SkipSkillScan      bool             `json:"skip_skill_scan,omitempty"`
 	ExtraData          *string          `json:"extra_data,omitempty"`
 	IsAutonomous       bool             `json:"is_autonomous"`
 	Distribution       string           `json:"distribution"`
diff --git a/api/start_check.go b/api/start_check.go
@@ -11,6 +11,7 @@ func StartCheck(client *Client, task *model.ScanTask) error {
 	var data = map[string]any{
 		"subtask_id":           task.SubtaskId,
 		"package_private_name": task.MavenSourceName,
+		"skip_skill_scan":      task.SkipSkillScan,
 	}
 	if task.MavenSourceId != "" {
 		data["package_private_id"] = task.MavenSourceId
diff --git a/cmd/murphy/internal/internalcmd/scanner_scan.go b/cmd/murphy/internal/internalcmd/scanner_scan.go
@@ -79,6 +79,8 @@ func scannerScanRun(cmd *cobra.Command, args []string) {
 		ScanWarnings                        []scanerr.Param               `json:"scan_warnings"`
 		AutoBuildCount                      int                           `json:"auto_build_count"`
 		AutoBuildFailedCount                int                           `json:"auto_build_failed_count"`
+		SkillsSummary                       *model.SkillSummary           `json:"skills_summary,omitempty"`
+		Skills                              []model.SkillItem             `json:"skills"`
 	}
 	w := wrapper{
 		Modules:                             utils.NoNilSlice(scantask.Modules),
@@ -88,6 +90,11 @@ func scannerScanRun(cmd *cobra.Command, args []string) {
 		ScanWarnings:                        scanerr.GetAll(ctx),
 		AutoBuildCount:                      scantask.AutoBuildCount,
 		AutoBuildFailedCount:                scantask.AutoBuildFailedCount,
+		Skills:                              make([]model.SkillItem, 0),
+	}
+	if scantask.Result != nil {
+		w.SkillsSummary = scantask.Result.SkillsSummary
+		w.Skills = utils.NoNilSlice(scantask.Result.Skills)
 	}
 	for i := range scantask.Modules {
 		for j := range scantask.Modules[i].Dependencies {
diff --git a/cmd/murphy/internal/scan/cmd.go b/cmd/murphy/internal/scan/cmd.go
@@ -43,6 +43,7 @@ var sbomOutputConfig string
 var sbomOutputType common.SBOMFormatFlag
 var webhookAddr string
 var webhookMode common.WebhookModeFlag
+var skipSkills bool
 var extraData string
 var scanCodeHash bool
 var gradleProjectFilter gradle.ProjectFilter
@@ -78,6 +79,7 @@ func Cmd() *cobra.Command {
 	c.Flags().StringVar(&extraData, "extra-data", "", "specify the extra data")
 	c.Flags().BoolVar(&scanCodeHash, "scan-snippets", false, "Enable scanning of code snippets to detect SBOM and  vulnerabilities. Disabled by default")
 	c.Flags().BoolVar(&binaryOnly, "binary-only", false, "only scan binary files, skip source code scanning")
+	c.Flags().BoolVar(&skipSkills, "skip-skills", false, "disable Skills security scanning for this run")
 	c.Flags().StringArrayVar(&toolver.Default.Maven.AdditionalPrependArgs, "maven-prepend-arg", []string{}, "Prepend an argument to the Maven command. Can be specified multiple times.")
 	c.Flags().StringArrayVar(&toolver.Default.Maven.AdditionalArgs, "maven-arg", []string{}, "Append an argument to the Maven command. Can be specified multiple times.")
 	c.Flags().StringVar(&toolver.Default.Maven.JdkVersion, "maven-jdk", "", "specify JDK version for Maven build")
diff --git a/cmd/murphy/internal/scan/scan.go b/cmd/murphy/internal/scan/scan.go
@@ -47,6 +47,7 @@ func envScan(ctx context.Context, windowsPatchScanTimeout time.Duration) (task *
 	var hn, _ = os.Hostname()
 	createSubtask.Dir = fmt.Sprintf("HostEnv/%s(%s)", hn, utils.GetOutBoundIP())
 	createSubtask.ProjectTagNames = projectTagNames
+	createSubtask.SkipSkillScan = skipSkills
 	if createSubtask.ProjectTagNames == nil {
 		createSubtask.ProjectTagNames = make([]string, 0)
 	}
@@ -89,11 +90,12 @@ func envScan(ctx context.Context, windowsPatchScanTimeout time.Duration) (task *
 	cv.DisplaySubtaskCreated(ctx, createTaskResp.ProjectsName, createTaskResp.SubtaskID)
 	// create task object
 	task = &model.ScanTask{
-		Mode:        createSubtask.ScanMode,
-		AccessType:  createSubtask.AccessType,
-		TaskId:      createTaskResp.TaskID,
-		SubtaskId:   createTaskResp.SubtaskID,
-		SubtaskName: createSubtask.ProjectName,
+		Mode:          createSubtask.ScanMode,
+		AccessType:    createSubtask.AccessType,
+		TaskId:        createTaskResp.TaskID,
+		SubtaskId:     createTaskResp.SubtaskID,
+		SkipSkillScan: createSubtask.SkipSkillScan,
+		SubtaskName:   createSubtask.ProjectName,
 
 		MaxSbomVersion: createTaskResp.MaxSbomVersion,
 	}
@@ -175,6 +177,7 @@ func scan(ctx context.Context, dir string, accessType model.AccessType, mode mod
 	createSubtask.PackagePrivateName = privateSourceName
 	createSubtask.ProjectTagNames = projectTagNames
 	createSubtask.IsAutonomous = scanCodeHash
+	createSubtask.SkipSkillScan = skipSkills
 	createSubtask.Distribution = distribution.String()
 
 	if createSubtask.ProjectTagNames == nil {
@@ -238,6 +241,7 @@ func scan(ctx context.Context, dir string, accessType model.AccessType, mode mod
 		ProjectPath:     dir,
 		TaskId:          createTaskResp.TaskID,
 		SubtaskId:       createTaskResp.SubtaskID,
+		SkipSkillScan:   createSubtask.SkipSkillScan,
 		SubtaskName:     createSubtask.ProjectName,
 		MavenSourceId:   privateSourceId,
 		MavenSourceName: privateSourceName,
diff --git a/model/idea_output.go b/model/idea_output.go
@@ -41,6 +41,8 @@ type PluginOutput struct {
 	LicenseInfoList     json.RawMessage        `json:"license_info_list,omitempty"`
 	ProjectDistribution json.RawMessage        `json:"project_distribution,omitempty"`
 	SystemInfo          json.RawMessage        `json:"system_info,omitempty"`
+	SkillsSummary       *SkillSummary          `json:"skills_summary,omitempty"`
+	Skills              []SkillItem            `json:"skills,omitempty"`
 }
 
 type ScanWarning struct {
@@ -122,6 +124,8 @@ func GetIDEAOutput(task *ScanTask) PluginOutput {
 		LicenseInfoList:     r.LicenseInfoList,
 		ProjectDistribution: r.ProjectDistribution,
 		SystemInfo:          r.SystemInfo,
+		SkillsSummary:       r.SkillsSummary,
+		Skills:              utils.NoNilSlice(r.Skills),
 	}
 
 	var vulnListMapper = func(effects []ScanResultCompEffect) (rs []PluginVulnDetailInfo) {
diff --git a/model/result.go b/model/result.go
@@ -42,6 +42,8 @@ type ScanResultResponse struct {
 	LicenseInfoList     json.RawMessage                    `json:"license_info_list,omitempty"`
 	ProjectDistribution json.RawMessage                    `json:"project_distribution,omitempty"`
 	SystemInfo          json.RawMessage                    `json:"system_info,omitempty"`
+	SkillsSummary       *SkillSummary                      `json:"skills_summary,omitempty"`
+	Skills              []SkillItem                        `json:"skills,omitempty"`
 }
 
 type ScanResultCompInfo struct {
diff --git a/model/scantask.go b/model/scantask.go
@@ -11,6 +11,7 @@ type ScanTask struct {
 	Mode            ScanMode
 	TaskId          string
 	SubtaskId       string
+	SkipSkillScan   bool
 	Modules         []Module
 	CodeFragments   []ComponentCodeFragment
 	Result          *ScanResultResponse
diff --git a/model/skill_result.go b/model/skill_result.go
@@ -0,0 +1,73 @@
+package model
+
+// SkillSummary 表示 Skills 检测摘要。
+type SkillSummary struct {
+	Enabled             bool `json:"enabled"`
+	Total               int  `json:"total"`
+	RiskCount           int  `json:"risk_count"`
+	MaliciousCount      int  `json:"malicious_count"`
+	SuspiciousCount     int  `json:"suspicious_count"`
+	SafeCount           int  `json:"safe_count"`
+	PendingCount        int  `json:"pending_count"`
+	DetectionErrorCount int  `json:"detection_error_count"`
+	FailedCount         int  `json:"failed_count"`
+	DetectorAvailable   bool `json:"detector_available"`
+	LLMAvailable        bool `json:"llm_available"`
+}
+
+// SkillItem 表示单个 Skill 的检测结果。
+type SkillItem struct {
+	ID            string                `json:"id"`
+	Name          string                `json:"name"`
+	Description   string                `json:"description"`
+	DirPath       string                `json:"dir_path"`
+	DirName       string                `json:"dir_name"`
+	Status        string                `json:"status"`
+	Summary       string                `json:"summary"`
+	DetectMethods []string              `json:"detect_methods"`
+	HasCodeFiles  bool                  `json:"has_code_files"`
+	Source        SkillSourceInfo       `json:"source"`
+	Intelligence  SkillIntelligenceInfo `json:"intelligence"`
+	Analysis      SkillAnalysisInfo     `json:"analysis"`
+	ErrorMessage  string                `json:"error_message"`
+}
+
+// SkillSourceInfo 表示来源信息。
+type SkillSourceInfo struct {
+	SourceMatched bool   `json:"source_matched"`
+	Platform      string `json:"platform"`
+	PlatformURL   string `json:"platform_url"`
+	Author        string `json:"author"`
+	Version       string `json:"version"`
+	Stars         int64  `json:"stars"`
+	OriginalName  string `json:"original_name"`
+}
+
+// SkillIntelligenceInfo 表示情报匹配结果。
+type SkillIntelligenceInfo struct {
+	IsMalicious bool   `json:"is_malicious"`
+	MpsID       string `json:"mps_id"`
+	Summary     string `json:"summary"`
+	CollectedAt string `json:"collected_at"`
+}
+
+// SkillAnalysisInfo 表示 LLM 分析结果。
+type SkillAnalysisInfo struct {
+	Analyzed      bool                     `json:"analyzed"`
+	ModelProvider string                   `json:"model_provider"`
+	ModelName     string                   `json:"model_name"`
+	Summary       string                   `json:"summary"`
+	Dimensions    []SkillAnalysisDimension `json:"dimensions"`
+}
+
+// SkillAnalysisDimension 表示单个分析维度结果。
+type SkillAnalysisDimension struct {
+	Name               string `json:"name"`
+	DisplayName        string `json:"display_name"`
+	Status             string `json:"status"`
+	Detail             string `json:"detail"`
+	Evidence           string `json:"evidence"`
+	Location           string `json:"location"`
+	UserExplanation    string `json:"user_explanation"`
+	CommonRiskPatterns string `json:"common_risk_patterns"`
+}

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ func StartCheck(client Client, task model.ScanTask) error {`
`11`	`11`	`var data = map[string]any{`
`12`	`12`	`"subtask_id": task.SubtaskId,`
`13`	`13`	`"package_private_name": task.MavenSourceName,`
	`14`	`+ "skip_skill_scan": task.SkipSkillScan,`
`14`	`15`	`}`
`15`	`16`	`if task.MavenSourceId != "" {`
`16`	`17`	`data["package_private_id"] = task.MavenSourceId`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ type ScanResultResponse struct {`
`42`	`42`	LicenseInfoList json.RawMessage `json:"license_info_list,omitempty"`
`43`	`43`	ProjectDistribution json.RawMessage `json:"project_distribution,omitempty"`
`44`	`44`	SystemInfo json.RawMessage `json:"system_info,omitempty"`
	`45`	+ SkillsSummary *SkillSummary `json:"skills_summary,omitempty"`
	`46`	+ Skills []SkillItem `json:"skills,omitempty"`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`type ScanResultCompInfo struct {`