OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community.
Home Page: https://opensca.xmirror.cn
License: Apache License 2.0
Improve Python parsing ability: resolve dependencies by calling the command of Package Manager installation dependency
Hi,
�At present, only one online databse is supported, do you have further plan to use other one line database ?
test、provided 其实不参与打包,这种能否加入标签识别
参考说明文档,clone项目后进行打包编译报错
克隆项目
git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git
进入到项目中执行打包命令
go build cmd/opensca-cli/main.go
项目代码中包名为opensca
git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca
cd opensca
export GO111MODULE=on
go build cmd/opensca-cli/main.go
path 直接指定的项目的文件夹, 包括了多个子模块, 现在一直在scan dir 上面转圈圈
由于采用Golang标准archive/zip库解压jar文件。有许多jar文件,虽然是zip文件,但是这些jar文件开头含有一些标识符,导致go认为这不是个标准的zip文件。实际python、unzip等工具都可以正常解压。所以建议解压jar文件替换go标准库里的zip解压工具。详情见这个issue golang/go#51337
报错信息
[WARNING] 2022/03/16 19:13:45 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:47 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:34 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:37 package_json.go:142: improper constraint:
请问,何时可支持python、c、 go等更多语言类型?
源代码build失败,项目多出import报红
New Feature: Export report to HTML
本地漏洞库不提供一个官方版的吗,还是说全都得用户自己写规则?
后续有考虑以Jenkins插件形式运行吗
能否支持对项目中的开源组件进行开源协议扫描,比如我们的产品售卖,对产品中使用的开源组件需要进行开源协议的合规性扫描。
Static analysis for the gradle package management.
MA-5R7WVL3:~/opensca-cli$ ./opensca-cli
[DEBUG] 2024/05/08 10:53:20 config.go:107: use default config
[DEBUG] 2024/05/08 10:53:20 config.go:94: load config /home/xxxx/opensca-cli/config.json
[DEBUG] 2024/05/08 10:53:20 log.go:72: log file: opensca.log
[===] file:0 dependencies:0
Get "https://opensca.xmirror.cn/oss-saas/api-v1/open-sca-client/aes-key?clientId=NAMLGYOQVHSAEYAR&ossToken=11111":[ ] file:0 dependencies:0mirror.cn on 172.26.128.1:53: read udp 172.26.134.28:52091->172.26.128.1:53: i/o timeout
Get "https://opensca.xmirror.cn/oss-saas/api-v1/open-sca-client/aes-key?clientId=NAMLGYOQVHSAEYAR&ossToken=11111":[ ==] file:0 dependencies:0mirror.cn on 172.26.128.1:53: read udp 172.26.134.28:38571->172.26.128.1:53: i/o timeout
Complete!
Components:0 C:0 H:0 M:0 L:0
Vulnerabilities:0 C:0 H:0 M:0 L:0
使用syft生成sbom文件上传到无结果
项目结构
执行扫描时会在目录下生成一个 .temp_path目录,提示permission denied权限不足
云平台官方有demo地址么,想试用也得有联系方式吧。
env:
version:1.0.13
type: cli
additional info:
I want to export csv or sqlite,but license was all blank in the csv file , even no license column in the sqlite file。
ps:
if the idea plugin can also support export csv/sqlite/html is better.
Different paths of the same component are displayed together.
使用的github下载的最新代码编译生成可执行文件进行扫描。得出组件路径结果为
D:/opensca20230822/testvul/pom.xml/[org.springframework.boot:spring-boot-starter:2.4.0]/[org.springframework.boot:spring-boot:2.4.0]/[org.springframework:spring-context:5.3.1]/[org.springframework.boot:spring-boot-autoconfigure:2.4.0]/[org.springframework.boot:spring-boot-starter-logging:2.4.0]/[ch.qos.logback:logback-classic:1.2.3]/[ch.qos.logback:logback-core:1.2.3]/[org.apache.logging.log4j:log4j-to-slf4j:2.13.3]/[org.apache.logging.log4j:log4j-api:2.13.3]/[org.slf4j:jul-to-slf4j:1.7.30]/[jakarta.annotation:jakarta.annotation-api:1.3.5]/[org.springframework:spring-core:5.3.1]/[org.springframework:spring-jcl:5.3.1]/[org.yaml:snakeyaml:1.27]/[org.slf4j:slf4j-api:1.7.30]/[org.springframework.boot:spring-boot-starter-web:2.4.0]/[org.springframework.boot:spring-boot-starter-json:2.4.0]/[com.fasterxml.jackson.core:jackson-databind:2.11.3]/[com.fasterxml.jackson.core:jackson-annotations:2.11.3]/[com.fasterxml.jackson.core:jackson-core:2.11.3]/[com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.3]/[com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.3]/[com.fasterxml.jackson.module:jackson-module-parameter-names:2.11.3]/[org.springframework.boot:spring-boot-starter-tomcat:2.4.0]/[org.apache.tomcat.embed:tomcat-embed-core:9.0.39]/[org.glassfish:jakarta.el:3.0.3]/[org.apache.tomcat.embed:tomcat-embed-websocket:9.0.39]/[org.springframework:spring-web:5.3.1]/[org.springframework:spring-beans:5.3.1]/[org.springframework:spring-webmvc:5.3.1]/[org.springframework:spring-aop:5.3.1]/[org.springframework:spring-expression:5.3.1]/[com.alibaba:fastjson:1.2.47]/[com.mchange:c3p0:0.9.5.2]/[com.mchange:mchange-commons-java:0.2.11]/[commons-collections:commons-collections:3.1]/[org.springframework.boot:spring-boot-devtools:2.4.0]
OpenSCA-cli无法检测出 java - Gradle编译方式 使用io.spring.dependency-management插件不明确标识版本号时无法扫描出依赖和漏洞
使用OpenSCA-cli打包成docker镜像, 扫描java Gradle项目
镜像无Gradle编译环境, 使用build.gradle文件静态分析
plugins {
id 'java'
id 'org.springframework.boot' version '3.2.3'
id 'io.spring.dependency-management' version '1.1.4'
}
group = 'com.example'
version = '0.0.1-SNAPSHOT'
java {
sourceCompatibility = '17'
}
configurations {
compileOnly {
extendsFrom annotationProcessor
}
}
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-data-ldap'
implementation 'org.springframework.boot:spring-boot-starter-data-redis'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.session:spring-session-data-redis'
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.postgresql:postgresql'
annotationProcessor 'org.projectlombok:lombok'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
}
tasks.named('test') {
useJUnitPlatform()
}
希望支持gradle编译的静态文件分析
d
点击启动的时候出现如图情况如何解决
对比了其他项目, 只有发生 pom 文件包含了
<repositories>
<repository>
<id>nexus</id>
<url>私服url地址</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>时,陷入卡死状态,如果删除这个私服url 就检查正常了,
Support for python language.
有个小小的建议,希望增加一个参数,能直接在本地输出扫描项目全量的SBOM。感谢
About gradle support?
Could opensca-cli support gradle in the future?
https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/internal/analyzer/java/pom.go#L58
Is your feature request related to a problem? Please describe.
related to: #249
Describe the solution you'd like
A clear and concise description of what you want to happen.
The golang.org/x/net/proxy package allows the setting up of a SOCKS5 proxy and provides details for authentication.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
N/A
Additional context
Add any other context or screenshots about the feature request here.
N/A
下载可执行文件后,设置了本地漏洞库,但感觉还是从云端检测的
您好,我在尝试使用本地漏洞库demo(db-demo.json)时无法生成out.json文件,log日志中也没有报错信息,请问是哪里出问题了呢
建议在README文件中添加支持的编程语言列表
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.