OpenSCA是一款开源的软件成分分析工具，用来扫描项目的第三方开源组件依赖及漏洞信息

共80个文件

go：58个

md：5个

sum：4个

版权申诉

42 浏览量 2023-04-25 09:17:10 上传评论 1 收藏 1.52MB ZIP 举报

OpenSCA，全称为Open Source Component Analysis，是一款强大的开源软件成分分析工具，旨在帮助开发者识别并管理项目中的第三方开源组件，以及这些组件可能存在的安全漏洞。在软件开发过程中，使用开源组件可以极大地提高效率，但同时也引入了潜在的安全风险。OpenSCA就是为了帮助开发者解决这个问题而设计的。 OpenSCA的核心功能包括： 1. **组件识别**：OpenSCA能够自动检测项目中使用的各种开源库、框架、模块等组件，通过比对庞大的开源组件数据库，准确地识别出组件的名称、版本和许可证信息。 2. **漏洞检测**：一旦识别出项目中的开源组件，OpenSCA会检查这些组件是否与已知的安全漏洞匹配。它通常会连接到CVE（Common Vulnerabilities and Exposures）数据库，查找是否存在任何已报告的安全问题。 3. **报告生成**：OpenSCA可以生成详细的分析报告，列出所有被扫描的组件及其状态，包括是否有已知漏洞、漏洞的严重程度等，为开发团队提供决策依据。 4. **持续集成**：OpenSCA提供了命令行接口（CLI），方便集成到持续集成/持续部署（CI/CD）流程中，确保每次代码变更后都能进行实时的安全扫描。 5. **许可证合规性**：除了安全方面，OpenSCA还关注开源组件的许可证合规性，帮助开发者避免因使用不兼容或限制性许可证的组件而导致的法律风险。 6. **定制化扩展**：OpenSCA是开源的，允许开发者根据自己的需求进行扩展和定制，比如自定义扫描规则、增加新的数据源等。在OpenSCA-cli-master这个压缩包中，包含了OpenSCA的命令行客户端源码。开发者可以通过编译源码来安装和运行OpenSCA，或者直接下载预编译的二进制版本。使用CLI，开发者可以在终端中执行一系列操作，如初始化项目配置、扫描项目、查看报告等。为了有效地使用OpenSCA，开发者需要了解如何编写配置文件（如`.oscacfg`），指定要扫描的项目路径、组件数据库源、报告格式等。此外，熟悉基本的命令行操作也是必要的，例如`oscacli scan`用于启动扫描，`oscacli report`则用于生成分析报告。 OpenSCA是一款实用的工具，它可以帮助开发者在软件开发生命周期中建立安全的开源组件管理流程，降低安全风险，保证产品的质量和合规性。通过掌握OpenSCA的使用，开发者可以更自信地应对开源组件带来的挑战，提升软件开发的安全水平。

资源推荐

资源详情

资源评论

收起资源包目录

OpenSCA-cli-master.zip （80个子文件）

OpenSCA-cli-master

makefile 132B

.github

README.md 17KB

analyzer

golang

gomod.go 1KB

analyzer.go 896B

ruby

gem.go 2KB

analyzer.go 824B

go.mod 611B

rust

cargo.go 2KB

analyzer.go 715B

go.sum 4KB

analyzer

analyzer.go 401B

java

oss.gradle 1KB

pom.go 10KB

mvn.go 7KB

gradle.go 3KB

download.go 7KB

ext.go 4KB

analyzer.go 5KB

engine

archive.go 4KB

parse.go 4KB

engine.go 3KB

python

oss.py 835B

req.go 5KB

setup.go 2KB

pipfile.go 1KB

analyzer.go 1KB

erlang

rebar.go 471B

analyzer.go 724B

php

composer.go 4KB

analyzer.go 1KB

composer_lock.go 2KB

javascript

package_json.go 4KB

package_lock.go 3KB

yarn_lock.go 3KB

analyzer.go 2KB

LICENSE 11KB

.goreleaser.yml 773B

logo.svg 6KB

docs

npm.md 6KB

CODE_OF_CONDUCT.md 5KB

贡献指南（中文版）v1.0.md 6KB

Contributing Guideline-en v1.0.md 8KB

db-demo.json 9KB

cli

go.mod 20B

go.sum 0B

main.go 2KB

config.json 220B

wechat.png 879KB

go.work.sum 322B

util

go.mod 538B

go.sum 2KB

enum

language

language.go 2KB

client

aes.go 970B

client.go 5KB

cache

cache.go 2KB

temp

temp.go 655B

vuln

local.go 2KB

server.go 621B

vuln.go 2KB

python.go 2KB

report

json.go 466B

spdx_type.go 5KB

format.go 2KB

swid.go 2KB

html_tpl 1.69MB

html.go 2KB

spdx.go 5KB

statis.go 1KB

cyclonedx.go 2KB

filter

file.go 3KB

bar

bar.go 1KB

model

purl.go 1KB

version.go 7KB

file.go 3KB

dependency.go 5KB

quque.go 1KB

vuln.go 856B

logs

log.go 1KB

args

args.go 3KB

repo.go 323B

<p align="center"> <img alt="logo" src="../logo.svg"> </p> <h1 align="center" style="margin: 30px 0 30px; font-weight: bold;">OpenSCA-Cli</h1> <p align="center"> <a href="https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/LICENSE"><img src="https://img.shields.io/github/license/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a> <a href="https://github.com/XmirrorSecurity/OpenSCA-cli/releases"><img src="https://img.shields.io/github/v/release/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a> </p> English|[中文](../README.md) ## Introduction OpenSCA is intended for scanning third-party dependencies and vulnerabilities. Our website: [https://opensca.xmirror.cn](https://opensca.xmirror.cn) Click **STAR** to encourage us. ------ ## Detection Ability OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers. The team is now dedicated to introducing more languages and enriching the parsing of relevant configuration files gradually. | LANGUAGE | PACKAGE MANAGER | FILE | | ------------ | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `Java` | `Maven` | `pom.xml` | | `Java` | `Gradle` | `.gradle` `.gradle.kts` | | `JavaScript` | `Npm` | `package-lock.json` `package.json` `yarn.lock` | | `PHP` | `Composer` | `composer.json` `composer.lock` | | `Ruby` | `gem` | `gemfile.lock` | | `Golang` | `gomod` | `go.mod` `go.sum` | | `Rust` | `cargo` | `Cargo.lock` | | `Erlang` | `Rebar` | `rebar.lock` | | `Python` | `Pip` | `Pipfile` `Pipfile.lock` `setup.py` `requirements.txt` `requirements.in`(For the latter two, pipenv environment & internet connection are needed) | ## Download and Deployment 1. Download the appropriate executable file according to your system architecture from [releases](https://gitee.com/XmirrorSecurity/OpenSCA-cli/releases). 2. Or download the source code and compile (go 1.18 and above is needed) ```shell git clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca cd opensca go work init cli analyzer util go build -o opensca-cli cli/main.go ``` The default option is to generate the program of the current system architecture. If you want to try it for other system architectures, you can set the following environment variables before compiling. - Disable `CGO_ENABLED` `CGO_ENABLED=0` - Set the operating system `GOOS=${OS} \\ darwin,freebsd,liunx,windows` - Set the architecture `GOARCH=${arch} \\ 386,amd64,arm` ## Samples ### Scan & Report in CLI/CRT (default) Detect the components only: ```shell opensca-cli -path ${project_path} ``` Connect to the cloud vulnerability database: ```shell opensca-cli -url ${url} -token ${token} -path ${project_path} ``` Or use the local vulnerability database: ```shell opensca-cli -db db.json -path ${project_path} ``` ### Scan & Report in Files (use the `out` parameter) Files supported by the `out` parameter are listed below： | TYPE | FORMAT | SPECIFIED SUFFIX | VERSION | | ------ | ------ | -------------------------------- | ------------------ | | REPORT | `json` | `.json` | `*` | | | `xml` | `.xml` | `*` | | | `html` | `.html` | `v1.0.6` and above | | SBOM | `spdx` | `.spdx` `.spdx.json` `.spdx.xml` | `v1.0.8` and above | | | `cdx` | `.cdx.json` `.cdx.xml` | `v1.0.11`and above | | | `swid` | `.swid.json` `.swid.xml` | `v1.0.11`and above | #### Sample ```shell opensca-cli -url ${url} -token ${token} -path ${project_path} -out ${filename}.${suffix} ``` ## Parameters **You can either configure the parameters in the configuration file or input the parameters in the command-line. When the two conflict, the input parameters will be prioritized.** | PARAMETER | TYPE | DESCRIPTION | SAMPLE | | ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `config` | `string` | Set the configuration file path, when the program runs, the parameter of the configuration file will be used as the startup parameters. If the configuration parameter conflicts with the command-line input parameter, the latter will be taken. | `-config config.json` | | `path` | `string` | Set the file or directory path to be detected. | `-path ./foo` | | `url` | `string` | Check the vulnerabilities from the cloud vulnerability database and set the address of the cloud service. It needs to be used with the `token` parameter. | `-url https://opensca.xmirror.cn`

评论收藏

内容反馈

版权申诉