feat: SCA-151 add support for gzipped HTTP requests and MaxSbomVersion handling

iseki0 · iseki0 · commit 90dbfe59a625 · 2026-01-06T18:04:47.000+08:00
- Introduced `gzipped_body` for gzipped request body support.
- Added `MaxSbomVersion` to `ScanTask` and related models.
- Implemented conditional behavior in SBOM commit based on `MaxSbomVersion`.
diff --git a/api/client.go b/api/client.go
@@ -3,15 +3,16 @@ package api
 import (
 	"context"
 	"encoding/json"
-	"github.com/murphysecurity/murphysec/utils/must"
-	"github.com/murphysecurity/murphysec/version"
-	"go.uber.org/zap"
 	"io"
 	"net/http"
 	"net/url"
 	"path"
 	"reflect"
 	"strings"
+
+	"github.com/murphysecurity/murphysec/utils/must"
+	"github.com/murphysecurity/murphysec/version"
+	"go.uber.org/zap"
 )
 
 var _DefaultClient *Client
@@ -113,6 +114,14 @@ func (c *Client) POST(url *url.URL, body io.Reader) *http.Request {
 	return must.A(http.NewRequest(http.MethodPost, url.String(), body))
 }
 
+func (c *Client) PostSpecialJson(url *url.URL, data any) *http.Request {
+	var body = NewGzippedBody(NewJsonRequestBody(data))
+	u := c.POST(url, body)
+	u.GetBody = body.GetBody
+	u.Header.Set("Content-Type", "application/vnd.murphysec.sbom.v1")
+	return u
+}
+
 func (c *Client) PostJson(url *url.URL, data any) *http.Request {
 	var body = NewJsonRequestBody(data)
 	u := c.POST(url, body)
diff --git a/api/create_sub_task.go b/api/create_sub_task.go
@@ -43,6 +43,8 @@ type CreateSubTaskResponse struct {
 	SubtaskID    string `json:"subtask_id"`    // 子任务ID
 	TaskName     string `json:"task_name"`     // 任务名称
 	AlertMessage string `json:"alert_message"`
+
+	MaxSbomVersion string `json:"max_sbom_version"`
 }
 
 func CreateSubTask(client *Client, request *CreateSubTaskRequest) (*CreateSubTaskResponse, error) {
diff --git a/api/gzipped_body.go b/api/gzipped_body.go
@@ -0,0 +1,64 @@
+package api
+
+import (
+	"bytes"
+	"compress/gzip"
+	"io"
+)
+
+func NewGzippedBody(body interface {
+	GetBody() (io.ReadCloser, error)
+	io.ReadCloser
+}) interface {
+	GetBody() (io.ReadCloser, error)
+	io.ReadCloser
+} {
+	return &gzippedBody{body: body, reader: body}
+}
+
+type gzippedBody struct {
+	buf        bytes.Buffer
+	end        bool
+	gzipWriter *gzip.Writer
+	body       interface {
+		GetBody() (io.ReadCloser, error)
+		io.ReadCloser
+	}
+	reader io.ReadCloser
+}
+
+func (g *gzippedBody) GetBody() (io.ReadCloser, error) {
+	reader, e := g.body.GetBody()
+	if e != nil {
+		return nil, e
+	}
+	return &gzippedBody{body: g.body, reader: reader}, nil
+}
+
+func (g *gzippedBody) Read(p []byte) (n int, err error) {
+	if g.gzipWriter == nil {
+		g.gzipWriter = gzip.NewWriter(&g.buf)
+	}
+	for g.buf.Available() == 0 {
+		if g.end {
+			return 0, io.EOF
+		}
+		_, e := io.CopyN(g.gzipWriter, g.reader, 16*1024)
+		if e == io.EOF {
+			g.end = true
+			e = g.gzipWriter.Close()
+			if e != nil {
+				return 0, e
+			}
+		}
+		if e != nil {
+			return 0, e
+		}
+	}
+
+	return g.reader.Read(p)
+}
+
+func (g *gzippedBody) Close() error {
+	return g.reader.Close()
+}
diff --git a/api/sbom_commit.go b/api/sbom_commit.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"context"
 	"encoding/json"
+	"net/http"
 	"os"
 
 	"github.com/murphysecurity/murphysec/env"
@@ -40,5 +41,11 @@ func SubmitSBOM(ctx context.Context, client *Client) error {
 		must.M(bf.Flush())
 		must.M(f.Close())
 	}
-	return client.DoJson(client.PostJson(joinURL(client.baseUrl, "/platform3/v3/client/upload_data"), req), nil)
+	var body *http.Request
+	if task.MaxSbomVersion == "v1" {
+		body = client.PostSpecialJson(joinURL(client.baseUrl, "/platform3/v3/client/upload_data"), req)
+	} else {
+		body = client.PostJson(joinURL(client.baseUrl, "/platform3/v3/client/upload_data"), req)
+	}
+	return client.DoJson(body, nil)
 }
diff --git a/cmd/murphy/internal/scan/scan.go b/cmd/murphy/internal/scan/scan.go
@@ -79,6 +79,8 @@ func envScan(ctx context.Context) (task *model.ScanTask, e error) {
 		TaskId:      createTaskResp.TaskID,
 		SubtaskId:   createTaskResp.SubtaskID,
 		SubtaskName: createSubtask.ProjectName,
+
+		MaxSbomVersion: createTaskResp.MaxSbomVersion,
 	}
 	ctx = model.WithScanTask(ctx, task)
 	e = envinspection.InspectEnv(ctx, scanProcess)
@@ -217,6 +219,7 @@ func scan(ctx context.Context, dir string, accessType model.AccessType, mode mod
 		IsNoBuild:       noBuild,
 		IsAutonomous:    scanCodeHash,
 		MavenModuleName: mavenModuleName,
+		MaxSbomVersion:  createTaskResp.MaxSbomVersion,
 	}
 	if gitSummary != nil {
 		task.GitUrl = gitSummary.RemoteAddr
diff --git a/model/scantask.go b/model/scantask.go
@@ -28,6 +28,8 @@ type ScanTask struct {
 	AutoBuildFailedCount int
 
 	ProjectLicense ProjectLicense
+
+	MaxSbomVersion string
 }
 
 func (s *ScanTask) BuildInspectionTask(dir string) *InspectionTask {

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ type CreateSubTaskResponse struct {`
`43`	`43`	SubtaskID string `json:"subtask_id"` // 子任务ID
`44`	`44`	TaskName string `json:"task_name"` // 任务名称
`45`	`45`	AlertMessage string `json:"alert_message"`
	`46`	`+`
	`47`	+ MaxSbomVersion string `json:"max_sbom_version"`
`46`	`48`	`}`
`47`	`49`
`48`	`50`	`func CreateSubTask(client Client, request CreateSubTaskRequest) (*CreateSubTaskResponse, error) {`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ type ScanTask struct {`
`28`	`28`	`AutoBuildFailedCount int`
`29`	`29`
`30`	`30`	`ProjectLicense ProjectLicense`
	`31`	`+`
	`32`	`+ MaxSbomVersion string`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`func (s ScanTask) BuildInspectionTask(dir string) InspectionTask {`