4

这是从昨天开始的。

在过去的几个月里,我将Whitesource Bolt扫描(流行的 Snyk 的免费替代品)集成到了我们的 DevOps 项目中。

扫描我们的包裹通常需要几分钟,我们对管道感到满意。

这是来自管道的典型编辑日志

Starting: WhiteSource Bolt Scan
==============================================================================
Task         : WhiteSource Bolt
Description  : Detect security vulnerabilities, problematic open source licenses.
Version      : 21.3.2
Author       : WhiteSource
Help         : http://www.whitesourcesoftware.com
==============================================================================
Working directory is /home/vsts/work/1/s
Getting scan config data
unifiedAgent.config file created successfully at /home/vsts/work/1/s
Finished getScanConfigData
Finished archive and encryption
Starting Upload zip file to s3
Getting temp credentials
Finished to prepare scm scan request
Sending SCM scan request
Succeed to send SCM scan request
WhiteSource Support Token: 
Async Command Start: Add Build Tag
Build '4998' has following tags now: ws_support_token=ws_scan_start_time=Wed, 05 May 2021 12_32_26 GMT
Async Command End: Add Build Tag
Async Command Start: Add Build Tag
Build '4998' has following tags now: ws_support_token=
Async Command End: Add Build Tag
Finishing: WhiteSource Bolt Scan

从昨天开始,输出日志爆炸成以下无穷无尽的调试日志,一个 Angular 项目需要 30 分钟

Starting: WhiteSource Bolt Scan
==============================================================================
Task         : WhiteSource Bolt
Description  : Detect security vulnerabilities, problematic open source licenses.
Version      : 21.6.2
Author       : WhiteSource
Help         : http://www.whitesourcesoftware.com
==============================================================================





[CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]     resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-template-literals/-/plugin-transform-template-literals-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:49,836 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-template-literals/7.13.0
[DEBUG] [2021-07-06 08:41:49,918 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-transform-modules-umd-7.13.0.tgz-7.13.0.
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-modules-amd/-/plugin-transform-modules-amd-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-modules-amd/7.13.0
[DEBUG] [2021-07-06 08:41:50,085 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,085 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-syntax-optional-chaining-7.8.3.tgz-7.8.3.
[DEBUG] [2021-07-06 08:41:50,086 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/babel-plugin-dynamic-import-node/-/babel-plugin-dynamic-import-node-2.3.3.tgz
[DEBUG] [2021-07-06 08:41:50,086 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/babel-plugin-dynamic-import-node/2.3.3
[DEBUG] [2021-07-06 08:41:50,146 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/compat-data-7.13.8.tgz-7.13.8.
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://registry.npmjs.org/object.assign/-/object.assign-4.1.0.tgz
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://registry.npmjs.org/object.assign/4.1.0
[DEBUG] [2021-07-06 08:41:50,256 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-proposal-logical-assignment-operators-7.13.8.tgz-7.13.8.
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-parameters/-/plugin-transform-parameters-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-parameters/7.13.0
[DEBUG] [2021-07-06 08:41:51,633 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined

我们从未更改过管道配置

      - task: WhiteSource@21
        displayName: WhiteSource Bolt Scan
        inputs:
          cwd: '$(System.DefaultWorkingDirectory)'
          projectName: '$(projectName)'

有人也注意到了这一点吗?除了放弃这个插件以换取另一项服务,我们还能做些什么呢?

4

1 回答 1

1

这是来自 Whitesource 支持的官方反馈

从 21.6.2 版开始,WhiteSource 扫描直接在 Azure DevOps 管道内执行。这意味着 WhiteSource 任务正在作为管道构建的一部分运行扫描。

在此更改之前,WhiteSource 任务不直接执行扫描,它收集相关信息,将其发送到远程 WhiteSource 服务器,该服务器本身就是运行扫描的服务器。只有当远程服务器上的扫描完成并返回结果时,才会显示有关 Azure DevOps 的 WhiteSource 风险报告。这导致 WhiteSource 报告在很长一段时间后被加载并出现了几个问题。因此,我们决定对直接扫描进行更改,这是一种更直接的扫描方法,并且 WhiteSource 报告的加载速度更快,并且还有许多其他改进。但是,重要的是要了解现在扫描是作为构建的一部分同步执行的(而不是远程异步),

所以看起来他们在没有警告用户管道将花费更长的时间的情况下推动了重大变化

于 2021-07-08T09:38:01.567 回答