OpenSCA is a Software Composition Analysis (SCA) solution that supports detection of open source component dependencies and vulnerabilities.

Overview

logo

OpenSCA-Cli

项目介绍

OpenSCA 用来扫描项目的第三方组件依赖及漏洞信息。


下载安装

  1. releases 下载对应系统架构的可执行文件压缩包

  2. 或者下载源码编译(需要 go 1.11 及以上版本)

    git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git
    cd opensca-cli
    go build cmd/opensca-cli

    默认生成当前系统架构的程序,如需生成其他系统架构可配置环境变量后编译

    • 禁用CGO_ENABLED CGO_ENABLED=0
    • 指定操作系统 GOOS=${OS} \\ darwin,freebsd,liunx,windows
    • 指定体系架构 GOARCH=${arch} \\ 386,amd64,arm

使用样例

仅检测组件信息

opensca-cli -path ${project_path}

连接云平台

opensca-cli -url ${url} -token ${token} -path ${project_path}

或使用本地漏洞库

opensca-cli -db db.json -path ${project_path}

参数说明

可在配置文件中配置参数,也可在命令行输入参数,两者冲突时优先使用输入参数

参数 类型 描述 使用样例
config string 指定配置文件路径,程序启动时将配置文件中的参数作为启动参数,配置参数与命令行输入参数冲突时优先使用输入参数 -config config.json
path string 指定要检测的文件或目录路径 -path ./foo
url string 从云漏洞库查询漏洞,指定要连接云服务的地址,仅支持 http 协议,需要写明端口,与 token 参数一起使用 -url http://opensca.xmirror.cn:8003
token string 云服务验证 token,需要在云服务平台申请,与 url 参数一起使用 -token xxxxxxx
cache bool 建议开启,缓存下载的文件(例如 .pom 文件),重复检测相同组件时会节省时间,下载的文件会保存到工具所在目录的.cache 目录下 -cache
vuln bool 结果仅保留有漏洞信息的组件,使用该参数将不会保留组件层级结构 -vuln
out string 将检测结果保存到指定文件,检测结果为 json 格式 -out output.json
db string 指定本地漏洞库文件,希望使用自己漏洞库时可用,漏洞库文件为 json 格式,具体格式会在之后给出;若同时使用云端漏洞库与本地漏洞库,漏洞查询结果取并集 -db db.json

漏洞库文件格式

[
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0-beta9,2.12.2)||[2.13.0,2.15.0)",
    "language": "java",
    "name": "Apache Log4j2 远程代码执行漏洞",
    "id": "XMIRROR-2021-44228",
    "cve_id": "CVE-2021-44228",
    "cnnvd_id": "CNNVD-202112-799",
    "cnvd_id": "CNVD-2021-95914",
    "cwe_id": "CWE-502,CWE-400,CWE-20",
    "description": "Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。\r\nApache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。",
    "description_en": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
    "suggestion": "2.12.1及以下版本可以更新到2.12.2,其他建议更新至2.15.0或更高版本,漏洞详情可参考:https://github.com/apache/logging-log4j2/pull/608 \r\n1、临时解决方案,适用于2.10及以上版本:\r\n\t(1)设置jvm参数:“-Dlog4j2.formatMsgNoLookups=true”;\r\n\t(2)设置参数:“log4j2.formatMsgNoLookups=True”;",
    "attack_type": "远程",
    "release_date": "2021-12-10",
    "security_level_id": 1,
    "exploit_level_id": 1
  },
  {}
]

漏洞库字段说明

字段 描述 是否必填
vendor 组件厂商
product 组件名
version 漏洞影响版本
language 组件语言
name 漏洞名
id 自定义编号
cve_id cve 编号
cnnvd_id cnnvd 编号
cnvd_id cnvd 编号
cwe_id cwe 编号
description 漏洞描述
description_en 漏洞英文描述
suggestion 漏洞修复建议
attack_type 攻击方式
release_date 漏洞发布日期
security_level_id 漏洞风险评级(1~4 风险程度递减)
exploit_level_id 漏洞利用评级(0:不可利用,1:可利用)
You might also like...
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

Dent More Information If you want to learn more about the techniques utlized in this framework please take a look at this article. Description This fr

go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Log4j detector and reporting server for scalable detection of vulnerable running processes.

Log4j Detector A client and reporting server to identify systems vulnerable to Log4j at scale. This work is based on Stripe's Remediation Tools, but w

Volana - Shell command obfuscation to avoid detection systems
Volana - Shell command obfuscation to avoid detection systems

volana (moon in malagasy) { Use it ; 🌚(hide from); 🌞(detected by) } Shell comm

DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Comments
  • 分析javascript项目时报错

    分析javascript项目时报错

    报错信息

    [WARNING] 2022/03/16 19:13:45 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:47 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:13:48 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:34 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:35 package_json.go:142: improper constraint: [WARNING] 2022/03/16 19:17:37 package_json.go:142: improper constraint:

    opened by alchu4n 5
  • 扫描Jar文件失败

    扫描Jar文件失败

    由于采用Golang标准archive/zip库解压jar文件。有许多jar文件,虽然是zip文件,但是这些jar文件开头含有一些标识符,导致go认为这不是个标准的zip文件。实际python、unzip等工具都可以正常解压。所以建议解压jar文件替换go标准库里的zip解压工具。详情见这个issue https://github.com/golang/go/issues/51337

    opened by yangyang-zhang 1
  • README.md 项目编译时出现的问题

    README.md 项目编译时出现的问题

    参考说明文档,clone项目后进行打包编译报错

    克隆项目 git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git

    进入到项目中执行打包命令 go build cmd/opensca-cli/main.go

    image

    项目代码中包名为opensca git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca cd opensca export GO111MODULE=on go build cmd/opensca-cli/main.go

    image

    opened by alchu4n 1
  • About gradle support

    About gradle support

    About gradle support?

    Could opensca-cli support gradle in the future?

    https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/internal/analyzer/java/pom.go#L58

    enhancement 
    opened by wcc526 1
Releases(v1.0.9)
Owner
Xmirror Security
A leading company of DevSecOps agile security.
Xmirror Security
A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are n

Have you debugged.it? 5 Jan 6, 2022
Bhojpur Consulting 0 Jan 1, 2022
The most complete TigoPesa API Wrapper written in golang with zero external dependencies. Supports Push Pay, C2B and B2C.

tigopesa tigopesa is open source fully compliant tigo pesa client written in golang contents usage example projects links contributors sponsors usage

TECHCRAFT TECHNOLOGIES LIMITED 6 Jan 9, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 513 Sep 20, 2022
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

FAV/E FAV/E (Find A Vulnerability/Exposure) utilizes the NIST CVE database search API to search for vulnerabilities and exposures while filtering base

Tony West 106 Aug 9, 2022
Git watchdog will scan your public repository and find out the vulnerabilities

Dependencies Docker Go 1.17 MySQL 8.0.25 Bootstrap Run chmod +x start.sh if start.sh script does not have privileged to run Run ./start.sh --bootstrap

Quang Nguyen 2 Dec 30, 2021
🍷 Find exploits and vulnerabilities in the most important databases.

?? Dionisio Dionisio is a tool that can automate the search for exploits and vulnerabilities. Written in Go and open source, Dionisio has an advanced

Y G Λ O 0 Mar 14, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

null 11 May 6, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

chenk 22 Aug 28, 2022
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 951 Sep 30, 2022