npm - @comate/zulu - Versions diffs - 1.2.1-beta.2 → 1.3.0 - Mend

@comate/zulu 1.2.1-beta.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/comate-engine/assets/skills/code-security/scripts/build_repair_info.py ADDED Viewed

File without changes

package/comate-engine/assets/skills/code-security/scripts/credential_hosting.py ADDED Viewed

@@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+"""
+凭证托管工具 - 将凭证托管到第三方平台（iPipe/CNAP/datamanage）。
+用法:
+    python3 credential_hosting.py --poll-result <poll_result.json路径> --username <用户名>
+    也可手动指定各参数（不推荐，仅向后兼容）:
+    python3 credential_hosting.py --chat-id <chatID> --platform <platformName> --username <用户名> --credentials '<JSON>'
+使用 --poll-result 时，自动从 credential_poll.py 的输出文件中提取 chatUUID、deployment.platformName、data.credentials。
+"""
+import argparse
+import hashlib
+import json
+import logging
+import sys
+import uuid
+import http_client  # noqa: F401 (triggers shared logging config)
+HOST = "https://comate-sec.baidu-int.com"
+USER_ID = ""
+USERNAME = ""
+logger = logging.getLogger("credential_hosting")
+def build_headers(chat_id):
+    return {
+        "Comate-User-Id": USER_ID,
+        "Comate-Username": USERNAME,
+        "SAST-Chat-ID": chat_id,
+        "SAST-Request-ID": str(uuid.uuid4()),
+    }
+def hosting_credentials(chat_id, platform, credentials):
+    """将凭证托管到指定平台。"""
+    url = "{}/api/v1/deployments/{}/credentials".format(HOST, platform)
+    payload = {
+        "configs": credentials,
+        "scanChatID": chat_id,
+    }
+    logger.info("credential_hosting: chat_id=%s, platform=%s, credentials_count=%d",
+                chat_id, platform, len(credentials))
+    print("正在托管凭证到 {} 平台...".format(platform), file=sys.stderr)
+    return http_client.post(url, headers=build_headers(chat_id), json_body=payload)
+def main():
+    global USER_ID, USERNAME
+    parser = argparse.ArgumentParser(description="凭证托管工具")
+    parser.add_argument("--poll-result", default=None, help="credential_poll.py 输出的结果文件路径，自动提取所需参数")
+    parser.add_argument("--chat-id", default=None, help="scanChatID（使用 --poll-result 时可省略）")
+    parser.add_argument("--platform", default=None, help="托管平台名称（使用 --poll-result 时可省略）")
+    parser.add_argument("--username", required=True, help="Comate 用户名")
+    parser.add_argument("--credentials", default=None, help="凭证配置 JSON（使用 --poll-result 时可省略）")
+    args = parser.parse_args()
+    USERNAME = args.username
+    USER_ID = hashlib.md5(args.username.encode("utf-8")).hexdigest()[:12]
+    chat_id = args.chat_id
+    platform = args.platform
+    credentials = None
+    if args.poll_result:
+        # 从 poll_result 文件提取所有参数
+        try:
+            with open(args.poll_result, "r", encoding="utf-8") as f:
+                poll_data = json.load(f)
+        except Exception as e:
+            print("错误: 读取 poll-result 失败 {}: {}".format(args.poll_result, e), file=sys.stderr)
+            sys.exit(1)
+        chat_id = chat_id or poll_data.get("chatUUID", "")
+        data = poll_data.get("data", {})
+        platform = platform or data.get("deployment", {}).get("platformName", "")
+        credentials = data.get("credentials")
+    elif args.credentials:
+        try:
+            credentials = json.loads(args.credentials)
+        except json.JSONDecodeError as e:
+            print("错误: 凭证 JSON 解析失败: {}".format(e), file=sys.stderr)
+            sys.exit(1)
+    if not chat_id or not platform or credentials is None:
+        print("错误: 缺少必要参数。使用 --poll-result 或同时提供 --chat-id、--platform、--credentials", file=sys.stderr)
+        sys.exit(1)
+    result = hosting_credentials(chat_id, platform, credentials)
+    print(json.dumps(result, ensure_ascii=False, indent=2))
+if __name__ == "__main__":
+    main()

package/comate-engine/assets/skills/code-security/scripts/credential_poll.py ADDED Viewed

@@ -0,0 +1,350 @@
+#!/usr/bin/env python3
+"""
+凭证配置轮询工具 - 通过 WebSocket 监听凭证托管助手网页的配置结果。
+用法:
+    python3 credential_poll.py --chat-id <chatID> --username <用户名>
+流程:
+    1. 连接 WebSocket 端点
+    2. 等待用户在网页完成凭证配置并点击「生成代码」
+    3. 收到 msgType=repair 消息后输出配置数据
+注意: 使用 Python 标准库实现 WebSocket 客户端，无需第三方依赖。
+"""
+import argparse
+import hashlib
+import json
+import logging
+import os
+import socket
+import struct
+import sys
+import time
+try:
+    import ssl
+    _SSL_AVAILABLE = True
+except ImportError:
+    _SSL_AVAILABLE = False
+# 触发共享日志配置
+import http_client  # noqa: F401
+WS_HOST = "wss://comate-sec-test.baidu-int.com"
+USER_ID = ""
+logger = logging.getLogger("credential_poll")
+WS_TIMEOUT = 30 * 60  # 30 分钟超时
+RECV_TIMEOUT = 5  # 每次 recv 超时秒数
+MAX_RECONNECT = 10
+RECONNECT_BASE_INTERVAL = 1  # 秒
+# WebSocket opcodes
+OP_TEXT = 0x1
+OP_CLOSE = 0x8
+OP_PING = 0x9
+OP_PONG = 0xA
+def _generate_ws_key():
+    """生成随机的 Sec-WebSocket-Key。"""
+    import base64
+    return base64.b64encode(os.urandom(16)).decode("ascii")
+def _ws_connect(host, port, path, headers, use_ssl=True, timeout=10):
+    """
+    建立 WebSocket 连接，返回 socket 对象。
+    执行 HTTP Upgrade 握手，验证 101 响应。
+    """
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.settimeout(timeout)
+    if use_ssl:
+        if not _SSL_AVAILABLE:
+            raise RuntimeError(
+                "WebSocket 需要 SSL 但 ssl 模块不可用。"
+                "请安装 libssl1.1 或重新编译 Python 以支持 ssl。"
+            )
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+        sock = ctx.wrap_socket(sock, server_hostname=host)
+    sock.connect((host, port))
+    # 构造握手请求
+    ws_key = _generate_ws_key()
+    lines = [
+        "GET {} HTTP/1.1".format(path),
+        "Host: {}".format(host),
+        "Upgrade: websocket",
+        "Connection: Upgrade",
+        "Sec-WebSocket-Version: 13",
+        "Sec-WebSocket-Key: {}".format(ws_key),
+    ]
+    for k, v in headers.items():
+        lines.append("{}: {}".format(k, v))
+    lines.append("")
+    lines.append("")
+    request = "\r\n".join(lines)
+    sock.sendall(request.encode("utf-8"))
+    # 读取响应头
+    response = b""
+    while b"\r\n\r\n" not in response:
+        chunk = sock.recv(4096)
+        if not chunk:
+            raise ConnectionError("连接在握手期间被关闭")
+        response += chunk
+    header_end = response.index(b"\r\n\r\n")
+    header_part = response[:header_end].decode("utf-8")
+    status_line = header_part.split("\r\n")[0]
+    # 验证 101 状态码
+    parts = status_line.split(" ", 2)
+    status_code = int(parts[1])
+    if status_code != 101:
+        # 尝试读取 body 获取错误信息
+        body_part = response[header_end + 4:]
+        error_msg = body_part.decode("utf-8", errors="replace") if body_part else ""
+        raise ConnectionError("WebSocket 握手失败: HTTP {} - {}".format(status_code, error_msg))
+    return sock
+def _ws_recv_frame(sock):
+    """
+    接收一个 WebSocket 帧，返回 (opcode, payload_bytes)。
+    """
+    def _recv_exact(n):
+        data = b""
+        while len(data) < n:
+            chunk = sock.recv(n - len(data))
+            if not chunk:
+                raise ConnectionError("连接被关闭")
+            data += chunk
+        return data
+    # 读取 2 字节头
+    head = _recv_exact(2)
+    opcode = head[0] & 0x0F
+    masked = (head[1] & 0x80) != 0
+    payload_len = head[1] & 0x7F
+    # 扩展长度
+    if payload_len == 126:
+        payload_len = struct.unpack("!H", _recv_exact(2))[0]
+    elif payload_len == 127:
+        payload_len = struct.unpack("!Q", _recv_exact(8))[0]
+    # mask (服务端发给客户端通常不 mask，但保留处理)
+    mask_key = None
+    if masked:
+        mask_key = _recv_exact(4)
+    # payload
+    payload = _recv_exact(payload_len)
+    if mask_key:
+        payload = bytes(b ^ mask_key[i % 4] for i, b in enumerate(payload))
+    return opcode, payload
+def _ws_send_frame(sock, opcode, payload=b""):
+    """
+    发送一个 WebSocket 帧（客户端发送需要 mask）。
+    """
+    mask_key = os.urandom(4)
+    masked_payload = bytes(b ^ mask_key[i % 4] for i, b in enumerate(payload))
+    frame = bytearray()
+    frame.append(0x80 | opcode)  # FIN + opcode
+    length = len(payload)
+    if length < 126:
+        frame.append(0x80 | length)  # MASK bit + length
+    elif length < 65536:
+        frame.append(0x80 | 126)
+        frame.extend(struct.pack("!H", length))
+    else:
+        frame.append(0x80 | 127)
+        frame.extend(struct.pack("!Q", length))
+    frame.extend(mask_key)
+    frame.extend(masked_payload)
+    sock.sendall(bytes(frame))
+def _ws_send_pong(sock, payload=b""):
+    """回复 pong 帧。"""
+    _ws_send_frame(sock, OP_PONG, payload)
+def _ws_send_close(sock, code=1000, reason=""):
+    """发送 close 帧。"""
+    payload = struct.pack("!H", code) + reason.encode("utf-8")
+    _ws_send_frame(sock, OP_CLOSE, payload)
+def _parse_ws_url(url):
+    """解析 wss://host/path，返回 (host, port, path, use_ssl)。"""
+    if url.startswith("wss://"):
+        use_ssl = True
+        default_port = 443
+        rest = url[6:]
+    elif url.startswith("ws://"):
+        use_ssl = False
+        default_port = 80
+        rest = url[5:]
+    else:
+        raise ValueError("不支持的 URL scheme: {}".format(url))
+    if "/" in rest:
+        host_port, path = rest.split("/", 1)
+        path = "/" + path
+    else:
+        host_port = rest
+        path = "/"
+    if ":" in host_port:
+        host, port_str = host_port.split(":", 1)
+        port = int(port_str)
+    else:
+        host = host_port
+        port = default_port
+    return host, port, path, use_ssl
+def poll_credential_config(chat_id):
+    """通过 WebSocket 监听凭证配置，返回配置数据 dict 或 None。"""
+    url = "{}/api/v1/ws/credential/events".format(WS_HOST)
+    host, port, path, use_ssl = _parse_ws_url(url)
+    logger.info("credential_poll start: chat_id=%s", chat_id)
+    ws_headers = {
+        "SAST-Chat-ID": chat_id,
+        "Comate-User-Id": USER_ID,
+    }
+    reconnect_attempts = 0
+    start_time = time.time()
+    while time.time() - start_time < WS_TIMEOUT:
+        sock = None
+        try:
+            sock = _ws_connect(host, port, path, ws_headers, use_ssl, timeout=RECV_TIMEOUT)
+            print("WebSocket 已连接，等待凭证配置...", file=sys.stderr)
+            reconnect_attempts = 0  # 连接成功，重置重连计数
+            while time.time() - start_time < WS_TIMEOUT:
+                try:
+                    opcode, payload = _ws_recv_frame(sock)
+                    if opcode == OP_TEXT:
+                        msg = payload.decode("utf-8")
+                        if not msg:
+                            continue
+                        data = json.loads(msg)
+                        msg_type = data.get("msgType", "")
+                        if msg_type == "repair":
+                            print("收到凭证配置数据", file=sys.stderr)
+                            logger.info("credential_poll received repair data")
+                            try:
+                                _ws_send_close(sock)
+                            except Exception:
+                                pass
+                            return data
+                        elif msg_type == "openFile":
+                            continue
+                    elif opcode == OP_PING:
+                        _ws_send_pong(sock, payload)
+                    elif opcode == OP_CLOSE:
+                        print("服务端关闭连接，尝试重连...", file=sys.stderr)
+                        break
+                except socket.timeout:
+                    # recv 超时，继续等待
+                    continue
+                except (ConnectionError, OSError):
+                    print("WebSocket 连接断开，尝试重连...", file=sys.stderr)
+                    break
+                except ValueError as e:
+                    print("JSON 解析失败: {}".format(e), file=sys.stderr)
+                    continue
+        except ConnectionError as e:
+            err_msg = str(e)
+            print("WebSocket 连接失败: {}".format(err_msg), file=sys.stderr)
+            # 400004 表示会话不存在（用户还未打开网页），继续重试等待用户打开
+            # 其他业务错误直接退出
+            if "400004" in err_msg:
+                print("会话不存在，等待用户打开凭证托管网页...", file=sys.stderr)
+            elif "HTTP 200" in err_msg or "400" in err_msg:
+                print("服务端拒绝连接，请检查 chatID 是否有效", file=sys.stderr)
+                return None
+        except Exception as e:
+            print("WebSocket 连接失败: {}".format(e), file=sys.stderr)
+        finally:
+            if sock:
+                try:
+                    sock.close()
+                except Exception:
+                    pass
+        # 重连逻辑：指数退避
+        reconnect_attempts += 1
+        if reconnect_attempts > MAX_RECONNECT:
+            print("达到最大重连次数，退出", file=sys.stderr)
+            return None
+        delay = RECONNECT_BASE_INTERVAL * (2 ** (reconnect_attempts - 1))
+        print("{}秒后重连 (第{}/{})次...".format(delay, reconnect_attempts, MAX_RECONNECT), file=sys.stderr)
+        time.sleep(delay)
+    print("超时，未收到凭证配置", file=sys.stderr)
+    logger.warning("credential_poll timeout: chat_id=%s", chat_id)
+    return None
+def main():
+    """解析命令行参数并启动凭证配置轮询，将结果输出到标准输出（可选保存到文件）。"""
+    global USER_ID
+    parser = argparse.ArgumentParser(description="凭证配置轮询工具")
+    parser.add_argument("--chat-id", required=True, help="scanChatID，用于关联扫描会话")
+    parser.add_argument("--username", required=True, help="Comate 用户名")
+    parser.add_argument("--output", default=None, help="将结果保存到指定文件路径（同时仍输出到标准输出）")
+    args = parser.parse_args()
+    USER_ID = hashlib.md5(args.username.encode("utf-8")).hexdigest()[:12]
+    result = poll_credential_config(args.chat_id)
+    if result:
+        output_json = json.dumps(result, ensure_ascii=False, indent=2)
+        print(output_json)
+        if args.output:
+            output_dir = os.path.dirname(os.path.abspath(args.output))
+            os.makedirs(output_dir, exist_ok=True)
+            with open(args.output, "w", encoding="utf-8") as f:
+                f.write(output_json)
+            print("已保存: {}".format(args.output), file=sys.stderr)
+    else:
+        print(json.dumps({"error": "未收到凭证配置数据"}, ensure_ascii=False))
+        sys.exit(1)
+if __name__ == "__main__":
+    main()

package/comate-engine/assets/skills/code-security/scripts/http_client.py ADDED Viewed

@@ -0,0 +1,173 @@
+#!/usr/bin/env python3
+"""
+基于 urllib 的轻量 HTTP 客户端，零第三方依赖。
+提供 GET / POST / PUT 方法，支持 JSON 请求和响应。
+当 ssl 模块不可用时（如 libssl 版本不匹配），自动回退到 curl 子进程。
+所有脚本共用日志配置，写入 skill/logs/<日期>.log，自动清理 7 天前的日志。
+"""
+import datetime
+import glob
+import json
+import logging
+import os
+import subprocess
+try:
+    import ssl
+    _SSL_AVAILABLE = True
+except ImportError:
+    _SSL_AVAILABLE = False
+try:
+    from urllib.request import Request, urlopen
+    from urllib.error import HTTPError, URLError
+except ImportError:
+    from urllib2 import Request, urlopen, HTTPError, URLError
+# ---- 统一日志配置 ----
+_scripts_dir = os.path.dirname(os.path.abspath(__file__))
+_skill_dir = os.path.dirname(_scripts_dir)
+_log_dir = os.path.join(_skill_dir, "logs")
+os.makedirs(_log_dir, exist_ok=True)
+# 清理超过 7 天的日志文件
+_now = datetime.datetime.now()
+for _f in glob.glob(os.path.join(_log_dir, "*.log")):
+    try:
+        _mtime = datetime.datetime.fromtimestamp(os.path.getmtime(_f))
+        if (_now - _mtime).days > 7:
+            os.remove(_f)
+    except OSError:
+        pass
+_log_file = os.path.join(_log_dir, _now.strftime("%Y-%m-%d") + ".log")
+logging.basicConfig(
+    filename=_log_file,
+    level=logging.INFO,
+    format="%(asctime)s [%(name)s] %(levelname)s %(message)s",
+)
+logger = logging.getLogger("http")
+def _build_request(url, method="GET", headers=None, json_body=None):
+    """构造 urllib Request 对象。"""
+    data = None
+    if json_body is not None:
+        data = json.dumps(json_body).encode("utf-8")
+    req = Request(url, data=data)
+    req.get_method = lambda: method
+    if headers:
+        for k, v in headers.items():
+            req.add_header(k, v)
+    if data is not None and not req.has_header("Content-type"):
+        req.add_header("Content-Type", "application/json; charset=utf-8")
+    return req
+def _create_ssl_context():
+    """创建 SSL 上下文。"""
+    ctx = ssl.create_default_context()
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    return ctx
+def _log_safe_headers(headers):
+    """提取可安全记录的请求头。"""
+    safe = {}
+    if headers:
+        for k in ("SAST-Chat-ID", "SAST-Request-ID", "Comate-User-Id", "Comate-Username"):
+            if k in headers:
+                safe[k] = headers[k]
+    return safe
+def _request_curl(url, method="GET", headers=None, json_body=None, timeout=120):
+    """ssl 不可用时，通过 curl 子进程发送请求。"""
+    cmd = ["curl", "-s", "-S", "--insecure", "-X", method, "--max-time", str(timeout)]
+    if headers:
+        for k, v in headers.items():
+            cmd += ["-H", "{}: {}".format(k, v)]
+    if json_body is not None:
+        cmd += ["-H", "Content-Type: application/json; charset=utf-8"]
+        cmd += ["-d", json.dumps(json_body)]
+    cmd.append(url)
+    logger.info("[curl] %s %s headers=%s", method, url, json.dumps(_log_safe_headers(headers)))
+    try:
+        proc = subprocess.run(cmd, capture_output=True, timeout=timeout + 10)
+    except FileNotFoundError:
+        raise RuntimeError(
+            "ssl 模块不可用且未找到 curl 命令。"
+            "请安装 curl 或修复 Python ssl 依赖（安装 libssl1.1 或重新编译 Python）。"
+        )
+    if proc.returncode != 0:
+        stderr_text = proc.stderr.decode("utf-8", errors="replace").strip()
+        logger.error("[curl] %s %s -> curl exit %d: %s", method, url, proc.returncode, stderr_text)
+        raise RuntimeError("curl 请求失败 (exit {}): {}".format(proc.returncode, stderr_text))
+    body = proc.stdout.decode("utf-8")
+    logger.info("[curl] %s %s -> OK (%d bytes)", method, url, len(body))
+    return json.loads(body)
+def request(url, method="GET", headers=None, json_body=None, timeout=120):
+    """
+    发送 HTTP 请求，返回解析后的 JSON dict。
+    当 ssl 模块不可用时自动回退到 curl。
+    :param url: 请求 URL
+    :param method: HTTP 方法 (GET/POST/PUT)
+    :param headers: 请求头 dict
+    :param json_body: JSON 请求体 (自动序列化)
+    :param timeout: 超时秒数
+    :return: 响应 JSON dict
+    :raises: HTTPError, URLError, RuntimeError
+    """
+    if not _SSL_AVAILABLE:
+        return _request_curl(url, method, headers, json_body, timeout)
+    # 记录请求（仅 URL 和关键 header，不记录 body 避免日志过大）
+    logger.info("%s %s headers=%s", method, url, json.dumps(_log_safe_headers(headers)))
+    req = _build_request(url, method, headers, json_body)
+    ctx = _create_ssl_context()
+    try:
+        resp = urlopen(req, timeout=timeout, context=ctx)
+        status = resp.getcode()
+        body = resp.read().decode("utf-8")
+        logger.info("%s %s -> %d (%d bytes)", method, url, status, len(body))
+        return json.loads(body)
+    except HTTPError as e:
+        error_body = ""
+        try:
+            error_body = e.read().decode("utf-8")[:500]
+        except Exception:
+            pass
+        logger.error("%s %s -> HTTP %d: %s", method, url, e.code, error_body)
+        raise
+def get(url, headers=None, timeout=120):
+    """发送 GET 请求，返回 JSON。"""
+    return request(url, method="GET", headers=headers, timeout=timeout)
+def post(url, headers=None, json_body=None, timeout=120):
+    """发送 POST 请求，返回 JSON。"""
+    return request(url, method="POST", headers=headers, json_body=json_body, timeout=timeout)
+def put(url, headers=None, json_body=None, timeout=120):
+    """发送 PUT 请求，返回 JSON。"""
+    return request(url, method="PUT", headers=headers, json_body=json_body, timeout=timeout)