登录 注册
开源 企业版 高校版 私有云 模力方舟
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 120

姑苏/OpenSCA-cli

forked from 悬镜安全/OpenSCA-cli 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
分支 1
标签 12
undefined
贡献代码
同步代码
创建 Pull Request
了解更多
对比差异 通过 Pull Request 同步
同步更新到分支
通过 Pull Request 同步
将会在向当前分支创建一个 Pull
Request,合入后将完成同步
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
.github
analyzer
cli
docs
util
.goreleaser.yml
LICENSE
README.md
config.json
db-demo.json
go.work.sum
logo.svg
makefile
wechat.png
Loading...
README
Apache-2.0

logo

OpenSCA-Cli

中文 | English

项目介绍

OpenSCA 用来扫描项目的第三方组件依赖及漏洞信息。

官网:https://opensca.xmirror.cn

欢迎点亮star,鼓励下项目组的小伙伴们~

检测能力

OpenSCA现已支持以下编程语言相关的配置文件解析及对应的包管理器,后续会逐步支持更多的编程语言,丰富相关配置文件的解析。

支持语言 包管理器 解析文件
Java Maven pom.xml
Java Gradle .gradle .gradle.kts
JavaScript Npm package-lock.json package.json yarn.lock
PHP Composer composer.json composer.lock
Ruby gem gemfile.lock
Golang gomod go.mod go.sum
Rust cargo Cargo.lock
Erlang Rebar rebar.lock
Python Pip Pipfile Pipfile.lock setup.py requirements.txt requirements.in (后两者的解析需要具备pipenv环境,需要联网。)

下载安装

  1. releases 下载对应系统架构的可执行文件压缩包

  2. 或者下载源码编译(需要 go 1.18 及以上版本)

    git clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca
cd opensca
go work init cli analyzer util
go build -o opensca-cli cli/main.go

    默认生成当前系统架构的程序,如需生成其他系统架构可配置环境变量后编译

    • 禁用CGO_ENABLED CGO_ENABLED=0
    • 指定操作系统 GOOS=${OS} \\ darwin,freebsd,liunx,windows
    • 指定体系架构 GOARCH=${arch} \\ 386,amd64,arm

使用样例

检测并输出检测结果到命令行/终端界面(默认)

仅检测组件信息

opensca-cli -path ${project_path}

连接云平台

opensca-cli -url ${url} -token ${token} -path ${project_path}

或使用本地漏洞库

opensca-cli -db db.json -path ${project_path}

检测并输出检测结果文件(使用out参数)

out参数支持范围如下:

类型 文件格式 识别的文件后缀 支持版本
检测报告 json .json *
xml .xml *
html .html v1.0.6及以上
SBOM清单 spdx .spdx .spdx.json .spdx.xml v1.0.8及以上
cdx .cdx.json .cdx.xml v1.0.11及以上
swid .swid.json .swid.xml v1.0.11及以上

样例

opensca-cli -url ${url} -token ${token} -path ${project_path} -out ${filename}.${suffix}

参数说明

可在配置文件中配置参数,也可在命令行输入参数,两者冲突时优先使用输入参数

参数 类型 描述 使用样例
config string 指定配置文件路径,程序启动时将配置文件中的参数作为启动参数,配置参数与命令行输入参数冲突时优先使用输入参数 -config config.json
path string 指定要检测的文件或目录路径 -path ./foo
url string 从云漏洞库查询漏洞,指定要连接云服务的地址,与 token 参数一起使用 -url https://opensca.xmirror.cn
token string 云服务验证 token,需要在云服务平台申请,与 url 参数一起使用 -token xxxxxxx
vuln bool 结果仅保留有漏洞信息的组件,使用该参数将不会保留组件层级结构 -vuln
out string 将检测结果保存到指定文件,根据后缀生成不同格式的文件,默认为 JSON 格式 -out output.json
-out output.xml
-out output.html
-out output.spdx
-out output.spdx.xml
-out output.spdx.json
-out output.swid.xml
-out output.swid.json
-out output.cdx.xml
-out output.cdx.json
db string 指定本地漏洞库文件,希望使用自己漏洞库时可用,漏洞库文件为 json 格式,具体格式会在之后给出;若同时使用云端漏洞库与本地漏洞库,漏洞查询结果取并集 -db db.json
progress bool 显示进度条 -progress
dedup bool 相同组件去重 -dedup

1.0.9及以上版本支持配置maven私服库,需要在配置文件config.json里进行配置,格式如下:

{
    "maven": [
        {
            "repo": "url",
            "user": "user",
            "password": "password"
        }
    ]
}

漏洞库文件格式

[
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0-beta9,2.12.2)||[2.13.0,2.15.0)",
    "language": "java",
    "name": "Apache Log4j2 远程代码执行漏洞",
    "id": "XMIRROR-2021-44228",
    "cve_id": "CVE-2021-44228",
    "cnnvd_id": "CNNVD-202112-799",
    "cnvd_id": "CNVD-2021-95914",
    "cwe_id": "CWE-502,CWE-400,CWE-20",
    "description": "Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。\r\nApache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。",
    "description_en": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
    "suggestion": "2.12.1及以下版本可以更新到2.12.2,其他建议更新至2.15.0或更高版本,漏洞详情可参考:https://github.com/apache/logging-log4j2/pull/608 \r\n1、临时解决方案,适用于2.10及以上版本:\r\n\t(1)设置jvm参数:“-Dlog4j2.formatMsgNoLookups=true”;\r\n\t(2)设置参数:“log4j2.formatMsgNoLookups=True”;",
    "attack_type": "远程",
    "release_date": "2021-12-10",
    "security_level_id": 1,
    "exploit_level_id": 1
  }
]

漏洞库字段说明

字段 描述 是否必填
vendor 组件厂商
product 组件名
version 漏洞影响版本
language 组件语言
name 漏洞名
id 自定义编号
cve_id cve 编号
cnnvd_id cnnvd 编号
cnvd_id cnvd 编号
cwe_id cwe 编号
description 漏洞描述
description_en 漏洞英文描述
suggestion 漏洞修复建议
attack_type 攻击方式
release_date 漏洞发布日期
security_level_id 漏洞风险评级(1~4 风险程度递减)
exploit_level_id 漏洞利用评级(0:不可利用,1:可利用)

常见问题

使用OpenSCA需要配置环境变量吗?

不需要。解压后直接在命令行或终端工具中执行对应命令即可开始检测。

OpenSCA目前支持哪些漏洞库呢?

OpenSCA支持自主配置本地漏洞库,需要按照漏洞库文件格式配置。

同时OpenSCA提供云漏洞库服务,兼容NVD、CNVD、CNNVD等官方漏洞库。

使用OpenSCA检测时,检测速度与哪些因素有关?

检测速度与压缩包大小、网络状况和检测语言有关,通常情况下会在几秒到几分钟。

v1.0.11开始在默认逻辑中新增了阿里云镜像库作为maven官方库的备用,解决了官方库连接受限导致的检测速度过慢问题。

v1.0.10及更低版本使用时如遇检测速度异常慢、日志文件中有maven连接失败报错,v1.0.6-v1.0.10可在配置文件config.json中将“maven”字段作如下设置:

{
    "maven": [
        {
            "repo": "https://maven.aliyun.com/repository/public",
            "user": "",
            "password": ""
        }
    ]
}

设置完毕后,确保配置文件和opensca-cli在同一目录下,执行opensca-cli检测命令加上-config congif.json即可,示例:

opensca-cli -url https://opensca.xmirror.cn -token {token} -path {path} -out output.html -config config.json

v1.0.5及更低版本需要自行修改源码配置镜像库地址,建议升级到更高版本。

更多常见问题,参见常见问题

问题反馈&联系我们

如果您在使用中遇到问题,欢迎向我们提交ISSUE。

也可添加下方微信:

二维码

QQ技术交流群:832039395

官方邮箱:opensca@anpro-tech.com

贡献者

  • 张涛
  • 张弛
  • 陈钟
  • 刘恩炙
  • 宁戈

向我们贡献

OpenSCA 是一款开源的软件成分分析工具,项目成员期待您的贡献。

如果您对此有兴趣,请参考我们的贡献指南
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [2021] [ Beijing Anpro Information Technology Co.,Ltd. ] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

简介

OpenSCA是一款开源的软件成分分析工具,用来扫描项目的第三方开源组件依赖及漏洞信息。 OpenSCA is a Software Composition Analysis (SCA) solution that supports the detection of open source component dependencies and vulnerabilities. 展开 收起
暂无标签
https://opensca.xmirror.cn
README
Apache-2.0
使用 Apache-2.0 开源许可协议
Code of conduct
0 Stars
1 Watching
120 Forks
取消

发行版

暂无发行版

贡献者

全部

近期动态

不能加载更多了
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/java_superb/OpenSCA-cli.git
git@gitee.com:java_superb/OpenSCA-cli.git
java_superb
OpenSCA-cli
OpenSCA-cli
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部