OpenSCA是一款开源的软件成分分析工具，用来扫描项目的第三方开源组件依赖及漏洞信息

<p align="center"> <img alt="logo" src="../logo.svg"> </p> <h1 align="center" style="margin: 30px 0 30px; font-weight: bold;">OpenSCA-Cli</h1> <p align="center"> <a href="https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/LICENSE"><img src="https://img.shields.io/github/license/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a> <a href="https://github.com/XmirrorSecurity/OpenSCA-cli/releases"><img src="https://img.shields.io/github/v/release/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a> </p> English|[中文](../README.md) ## Introduction OpenSCA is intended for scanning third-party dependencies and vulnerabilities. Our website: [https://opensca.xmirror.cn](https://opensca.xmirror.cn) Click **STAR** to encourage us. ------ ## Detection Ability OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers. The team is now dedicated to introducing more languages and enriching the parsing of relevant configuration files gradually. | LANGUAGE | PACKAGE MANAGER | FILE | | ------------ | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `Java` | `Maven` | `pom.xml` | | `Java` | `Gradle` | `.gradle` `.gradle.kts` | | `JavaScript` | `Npm` | `package-lock.json` `package.json` `yarn.lock` | | `PHP` | `Composer` | `composer.json` `composer.lock` | | `Ruby` | `gem` | `gemfile.lock` | | `Golang` | `gomod` | `go.mod` `go.sum` | | `Rust` | `cargo` | `Cargo.lock` | | `Erlang` | `Rebar` | `rebar.lock` | | `Python` | `Pip` | `Pipfile` `Pipfile.lock` `setup.py` `requirements.txt` `requirements.in`(For the latter two, pipenv environment & internet connection are needed) | ## Download and Deployment 1. Download the appropriate executable file according to your system architecture from [releases](https://gitee.com/XmirrorSecurity/OpenSCA-cli/releases). 2. Or download the source code and compile (go 1.18 and above is needed) ```shell git clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca cd opensca go work init cli analyzer util go build -o opensca-cli cli/main.go ``` The default option is to generate the program of the current system architecture. If you want to try it for other system architectures, you can set the following environment variables before compiling. - Disable `CGO_ENABLED` `CGO_ENABLED=0` - Set the operating system `GOOS=${OS} \\ darwin,freebsd,liunx,windows` - Set the architecture `GOARCH=${arch} \\ 386,amd64,arm` ## Samples ### Scan & Report in CLI/CRT (default) Detect the components only: ```shell opensca-cli -path ${project_path} ``` Connect to the cloud vulnerability database: ```shell opensca-cli -url ${url} -token ${token} -path ${project_path} ``` Or use the local vulnerability database: ```shell opensca-cli -db db.json -path ${project_path} ``` ### Scan & Report in Files (use the `out` parameter) Files supported by the `out` parameter are listed below： | TYPE | FORMAT | SPECIFIED SUFFIX | VERSION | | ------ | ------ | -------------------------------- | ------------------ | | REPORT | `json` | `.json` | `*` | | | `xml` | `.xml` | `*` | | | `html` | `.html` | `v1.0.6` and above | | SBOM | `spdx` | `.spdx` `.spdx.json` `.spdx.xml` | `v1.0.8` and above | | | `cdx` | `.cdx.json` `.cdx.xml` | `v1.0.11`and above | | | `swid` | `.swid.json` `.swid.xml` | `v1.0.11`and above | #### Sample ```shell opensca-cli -url ${url} -token ${token} -path ${project_path} -out ${filename}.${suffix} ``` ## Parameters **You can either configure the parameters in the configuration file or input the parameters in the command-line. When the two conflict, the input parameters will be prioritized.** | PARAMETER | TYPE | DESCRIPTION | SAMPLE | | ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `config` | `string` | Set the configuration file path, when the program runs, the parameter of the configuration file will be used as the startup parameters. If the configuration parameter conflicts with the command-line input parameter, the latter will be taken. | `-config config.json` | | `path` | `string` | Set the file or directory path to be detected. | `-path ./foo` | | `url` | `string` | Check the vulnerabilities from the cloud vulnerability database and set the address of the cloud service. It needs to be used with the `token` parameter. | `-url https://opensca.xmirror.cn`