Open source component analysis tool OpenSCA tutorial

Enterprise 2023-07-02 02:08:18 views: null

Open source component analysis tool OpenSCA

Software Description

OpenSCA is an open source software component analysis tool used to scan third-party component dependencies and vulnerability information of projects.

As the open source version of Yuanjian OSS open source threat control product (opens new window) under Xuanjing Security, OpenSCA inherits the core capabilities of Yuanjian OSS's multi-source SCA open source application security defect detection, etc., through software component analysis, dependency analysis, and feature analysis. , Citation identification, compliance analysis and other methods, dig deep into various security vulnerabilities and open source protocol risks hidden in components, and ensure the security of application open source components introduced. Official address: https://opensca.xmirror.cn/

Application Scenario

security development

  • OpenSCA is an open source IDE open source risk detection plug-in that helps individual/enterprise developers quickly locate and fix vulnerabilities
  • Developer-friendly, lightweight and low-cost zero-threshold installation
  • Enterprise-level SCA core engine, supporting secondary development

Safety test

  • Security testing of third-party open source components of products
  • Improve the security of software products and prevent applications from going online with diseases

safety management

  • Secure access to third-party components and vendor software
  • Establishment of enterprise internal security component library
  • Software or component asset visual inventory combing
  • Security Department Compliance Review and Related Open Source Governance Work

project address

https://gitee.com/XmirrorSecurity/OpenSCA-cli

Download and install

method 1:

Download the source code of opensca to the local

git clone  https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca

If it is installed on a Windows system and requires safe git:

https://git-scm.com/download/win

Enter the command in gitbash after installation:

cd opensca
go work init cli analyzer util
go env -w GOPROXY= https://goproxy.cn
go build -o opensca-cli cli/main.go

Method 2:

Or visit the project address to download the latest version of the executable program compression package corresponding to the system architecture:

https://gitee.com/XmirrorSecurity/OpenSCA-cli/
 

Download address: https://golang.google.cn/dl/ , to the local

.Fool-style installation, the installation path defaults to the C drive, you can modify the installation to other paths, and continue to the next step until the installation is complete

After the installation is successful, open cmd and enter the command go version

Configure environment variables (this computer - advanced system configuration - environment variables - system variables)

Then open CMD in the project folder:

go work init cli analyzer util
go env -w GOPROXY= https://goproxy.cn
go build -o opensca-cli cli/main.go

detection

The opensca-cli tool needs to be associated with the vulnerability library in order to have component vulnerability detection data. Provides two association methods of cloud platform vulnerability library and offline vulnerability library to meet users' online and offline use needs.

Cloud platform vulnerability library: It can associate the latest vulnerability data, and upload the locally parsed component information (excluding code information) to the OpenSCA cloud platform;

Offline vulnerability database: You need to prepare your own vulnerability database information according to the vulnerability database format provided by OpenSCA, and you can complete component vulnerability detection without transferring the parsed component information to the OpenSCA cloud platform.

Cloud online detection

(1) Generate Token

Visit the OpenSCA official website ( opensca.xmirror.cn ) to log in or register to enter the OpenSCA cloud platform;

Choose a time, you can lengthen a bit to copy the password

(2) Detect application packages or projects

According to different operating system environments, execute the following commands in the command line tool:

Note: ${}{} is replaced with the actual parameter value, no need to bring ${}

MacOS/Linux

opensca-cli -url  https://opensca.xmirror.cn -token ${token} -path ${project_path} -out output.json

Windows

opensca-cli.exe -url  https://opensca.xmirror.cn -token ${token} -path ${project_path} -out output.json

I use Windows to demonstrate:

First download a vulnerable component:

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.80/
Open cmd in the opensca folder. Execute the following command:
opensca-cli.exe -url  https://opensca.xmirror.cn  -token 097ead7e-f7b1-425c-82f7-d5df9813537a -path fastjson-1.2.80.jar -out output.json

Other test samples:

Only detect component information

opensca-cli -path ${project_path}
to connect to the cloud platform

opensca-cli -url ${url} -token ${token} -path ${project_path}
or use the local vulnerability library

opensca-cli -db db.json -path ${project_path}

Parameter Description

View Results

The component detection results will be saved in the output.json file in the directory where opensca-cli is located.

To view the json format, you can first go to the website to convert https://www.sojson.com/

Example: (My own scan results)

{
  "task_info": {
    "tool_version": "v1.0.7",
    "app_name": "fastjson-1.2.80.jar",
    "size": 671884,
    "start_time": "2022-07-15 11:01:07",
    "end_time": "2022-07-15 11:01:07",
    "cost_time": 0.1634333
  },
  "vendor": "com.alibaba",
  "name": "fastjson",
  "version": "1.2.80",
  "language": "Java",
  "direct": false,
  "paths": ["META-INF/maven/com.alibaba/fastjson/pom.xml/[com.alibaba:fastjson:1.2.80]"],
  "vulnerabilities": [{
    "name": "Fastjson 代码问题漏洞",
    "id": "XMIRROR-2022-25845",
    "cve_id": "CVE-2022-25845",
    "cnnvd_id": "CNNVD-202206-1037",
    "cwe_id": "CWE-502",
    "description": "Fastjson是一款基于Java的快速JSON解析器/生成器。 \nFastjson 1.2.83 之前版本存在安全漏洞,该漏洞源于容易绕过默认的 autoType 关闭限制来反序列化不受信任的数据,攻击者利用该漏洞可以攻击远程服务器。",
    "suggestion": "目前厂商已发布升级补丁以修复漏洞,补丁获取链接: \nhttps://github.com/alibaba/fastjson/wiki/security_update_20220523",
    "attack_type": "远程",
    "release_date": "2022-06-10",
    "security_level_id": 1,
    "exploit_level_id": 0
  }]
}

Add plug-in detection in IDE:

Plugin to add reference link:

https://opensca.xmirror.cn/docs/v1/plugin.html#%E6%8F%92%E4%BB%B6%E5%8A%9F%E8%83%BD

Open the package:

Guess you like

Origin blog.csdn.net/m0_65355570/article/details/125803273
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com