SCA-149 GO项目检测，直接依赖和间接依赖数量计算不准确

Author: chenhaoxuan

module/go_mod/go.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"path/filepath"
 
+	"github.com/murphysecurity/murphysec/infra/ui"
 	"github.com/murphysecurity/murphysec/model"
 	"github.com/murphysecurity/murphysec/utils"
 	"github.com/pkg/errors"
@@ -28,11 +29,14 @@ func (Inspector) InspectProject(ctx context.Context) error {
 	if utils.IsFile(filepath.Join(task.Dir(), "go.mod")) {
 		// 新版本
 		if task.IsNoBuild() {
+			ui.Use(ctx).Display(ui.MsgWarn, "通过 go build获取依赖信息失败，可能会导致检测结果不完整或失败，访问 https://murphysec.com/docs/faqs/quick-start-for-beginners/programming-language-supported.html 了解详情")
+
 			if err := baseScan(ctx); err != nil {
 				return err
 			}
 		} else {
 			if err := buildScan(ctx); err != nil {
+				ui.Use(ctx).Display(ui.MsgWarn, "通过 go build获取依赖信息失败，可能会导致检测结果不完整或失败，访问 https://murphysec.com/docs/faqs/quick-start-for-beginners/programming-language-supported.html 了解详情")
 				if err := baseScan(ctx); err != nil {
 					return err
 				}

module/go_mod/goModTidy.go

@@ -4,12 +4,13 @@ import (
 	"bytes"
 	"context"
 	"errors"
-	"github.com/murphysecurity/murphysec/infra/logctx"
-	"github.com/murphysecurity/murphysec/scanerr"
-	"go.uber.org/zap"
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/murphysecurity/murphysec/infra/logctx"
+	"github.com/murphysecurity/murphysec/scanerr"
+	"go.uber.org/zap"
 )
 
 const (
@@ -42,8 +43,10 @@ func goModTidyError(ctx context.Context, msg string) error {
 func goModTidy(ctx context.Context, path string) error {
 	logger := logctx.Use(ctx)
 	var stdErr bytes.Buffer
-	var againBol = false
 	logger.Debug("go mod tidy :" + path)
+	//记录次数
+	var count int = 0
+	var isourceError bool = false
 again:
 
 	cmd := exec.Command("go", "mod", "tidy")
@@ -54,24 +57,48 @@ again:
 		return err
 	}
 	if err := cmd.Wait(); err != nil {
-		logctx.Use(ctx).Error("cmd wait error :" + err.Error())
-		return err
-	}
+		// 命令执行失败，先看 stderr 里是否包含需要特殊处理的错误（例如设置 GOPRIVATE）
+		msg := stdErr.String()
+
+		// 如果包含特定错误，尝试修复后重试一次
+		if strings.Contains(msg, sourceError) {
+			if e := goModTidyError(ctx, msg); e != nil {
+				return e
+			}
+			isourceError = true
+		}
+		count++
+		//如果因为设置GOPRIVATE失败，重试3次后还是失败，则返回错误
+		if count == 3 {
+
+			// 普通失败，记录基础扫描错误
+			scanerr.Add(ctx, scanerr.Param{
+				Kind:    "auto_build_error",
+				Content: msg,
+			})
+			return errors.New(msg)
+		} else if count == 2 && !isourceError {
+			// 普通失败，记录基础扫描错误
+			scanerr.Add(ctx, scanerr.Param{
+				Kind:    "auto_build_error",
+				Content: msg,
+			})
+			//如果因为不是因为设置GOPRIVATE失败，重试2次后还是失败，则返回错误，避免无限重试
+			return errors.New(msg)
+		}
+
+		// 清空上一次的 stderr，再重试
+		stdErr.Reset()
+		goto again
 
-	if againBol {
-		scanerr.Add(ctx, scanerr.Param{
-			Kind:    "auto_build_error",
-			Content: stdErr.String(),
-		})
-		return errors.New(stdErr.String())
 	}
+
+	// 走到这里说明 go mod tidy 成功了
+	// 即使命令成功，stderr 也可能只是一些警告信息，这里只打日志，不触发基础扫描
 	if stdErr.Len() > 0 {
-		if err := goModTidyError(ctx, stdErr.String()); err != nil {
-			return err
-		} else {
-			againBol = true
-			goto again
-		}
+		logger.Warn("go mod tidy stderr (ignored, command succeeded)",
+			zap.String("stderr", stdErr.String()))
 	}
+
 	return nil
 }

module/go_mod/gotree.go

@@ -92,6 +92,7 @@ func buildScan(ctx context.Context) error {
 				EcoRepo:     EcoRepo,
 			},
 			DependencyRelation: model.DependencyRelationDirect,
+			IsDirectDependency: true,
 		}
 		logger.Debug("buildTree  start : " + j)
 		dependencies = append(dependencies, buildingDependencyTree(nameVersionMp, &dependencie, sonTree, &packageToPackageUsed, logger))