Opensca 扫描时是否可以设置忽略特定路径 #312
Description
Is your feature request related to a problem? Please describe.
在使用 Opensca 扫描我们的项目时,它会包括 JarCollection 目录下的 soot-1.0.jar 文件。这个 JAR 文件是一个测试包,并不包含需要进行安全分析的源代码,因此不应被纳入扫描范围。
当前行为: 在扫描过程中,soot-1.0.jar 文件被包含在扫描结果中,且其路径出现在扫描输出中,例如:
{
"task_info": {
"tool_version": "v3.0.7",
"app_name": "TestCaseDroid",
"size": 0,
"start_time": "2025-04-18 08:26:39",
"end_time": "2025-04-18 08:27:02",
"cost_time": 23.0197382,
"error": "not config vuln database origin"
},
"id": "57178063596617728",
"children": [
{
"vendor": "org.example",
"name": "soot",
"version": "1.0-SNAPSHOT",
"language": "Java",
"id": "57178063596617729",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\JarCollection\\soot-1.0.jar\\META-INF\\maven\\org.example\\soot\\pom.xml\\[org.example:soot:1.0-SNAPSHOT]"
]
},
{
"vendor": "edu.xjtu",
"name": "TestCaseDroid",
"version": "1.2",
"language": "Java",
"id": "57178063596617730",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]"
],
"children": [
{
"vendor": "org.soot-oss",
"name": "soot",
"version": "4.6.0",
"language": "Java",
"id": "57178063596617731",
"direct": true,
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]"
],
"licenses": [
{
"name": "GNU LESSER GENERAL PUBLIC LICENSE 2.1"
}
],
"children": [
{
"vendor": "commons-io",
"name": "commons-io",
"version": "2.17.0",
"language": "Java",
"id": "57178063596617743",
"paths": [
"TestCaseDroid\\TestCaseDroid\\pom.xml\\[edu.xjtu:TestCaseDroid:1.2]\\[org.soot-oss:soot:4.6.0]\\[commons-io:commons-io:2.17.0]"
]
},这并不符合预期,因为该 JAR 文件仅用于测试,不应参与扫描。
Describe the solution you'd like
希望能有一个选项,配置 Opensca 排除特定路径或目录(如 JarCollection 文件夹或具体的 JAR 文件,比如 soot-1.0.jar)不参与扫描。
Describe alternatives you've considered
手动删除以排除,但是比较局限
Additional context
Opensca 版本:v3.0.7
项目结构如下:
TestCaseDroid
│
├── .idea
├── JarCollection
│ ├── decompiler.jar
│ └── soot-1.0.jar
├── Lecture
├── README.md
├── src
│ ├── .gitignore
│ ├── LICENSE
└── pom.xml