English|中文

OpenSCA is intended for scanning third-party dependencies and vulnerabilities.

Our website: https://opensca.xmirror.cn

Click STAR to encourage us.

OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers. The team is now dedicated to introducing more languages and enriching the parsing of relevant configuration files gradually.

1. Download the appropriate executable file according to your system architecture from releases.

2. Or download the source code and compile (go 1.18 and above is needed)

   git clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca
   cd opensca
   go work init cli analyzer util
   go build -o opensca-cli cli/main.go

   The default option is to generate the program of the current system architecture. If you want to try it for other system architectures, you can set the following environment variables before compiling.

   • Disable CGO_ENABLED CGO_ENABLED=0
   • Set the operating system GOOS=${OS} \\ darwin,freebsd,liunx,windows
   • Set the architecture GOARCH=${arch} \\ 386,amd64,arm

Detect the components only:

opensca-cli -path ${project_path}

Connect to the cloud vulnerability database:

opensca-cli -url ${url} -token ${token} -path ${project_path}

Or use the local vulnerability database:

opensca-cli -db db.json -path ${project_path}

Files supported by the out parameter are listed below：

opensca-cli -url ${url} -token ${token} -path ${project_path} -out ${filename}.${suffix}

You can either configure the parameters in the configuration file or input the parameters in the command-line. When the two conflict, the input parameters will be prioritized.

For v1.0.9 and above, local maven component database can be configured in the following format in the configuration file:

{
    "maven": [
        {
            "repo": "url",
            "user": "user",
            "password": "password"
        }
    ]
}

[
  {
    "vendor": "org.apache.logging.log4j",
    "product": "log4j-core",
    "version": "[2.0-beta9,2.12.2)||[2.13.0,2.15.0)",
    "language": "java",
    "name": "Apache Log4j2 远程代码执行漏洞",
    "id": "XMIRROR-2021-44228",
    "cve_id": "CVE-2021-44228",
    "cnnvd_id": "CNNVD-202112-799",
    "cnvd_id": "CNVD-2021-95914",
    "cwe_id": "CWE-502,CWE-400,CWE-20",
    "description": "Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。\r\nApache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。",
    "description_en": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
    "suggestion": "2.12.1及以下版本可以更新到2.12.2，其他建议更新至2.15.0或更高版本，漏洞详情可参考：https://github.com/apache/logging-log4j2/pull/608 \r\n1、临时解决方案，适用于2.10及以上版本：\r\n\t（1）设置jvm参数：“-Dlog4j2.formatMsgNoLookups=true”；\r\n\t（2）设置参数：“log4j2.formatMsgNoLookups=True”；",
    "attack_type": "远程",
    "release_date": "2021-12-10",
    "security_level_id": 1,
    "exploit_level_id": 1
  }
]

*There are several pre-set values to the "language" field, including java, js, golang, rust, php, ruby and python. Other languages are not limited to the pre-set value.

Since v1.0.13, OpenSCA supports databases in sql format. Once the database is organized according to the format, set them through the configuration file as follows:

[
{
  "origin":{
    "mysql":{
      "dsn":"user:password@tcp(ip:port)/dbname",
      "table":"table_name"
    },
    "json":{
      "dsn":"db.json"
    }
  }
}
]

No. OpenSCA can be directly executed by the command in CLI/CRT after decompression.

OpenSCA allows configuring the local vulnerability database. It has to be sorted according to the Format of the Vulnerability Database File.

Meanwhile, OpenSCA also offers a cloud vulnerability database covering official databases including CVE/CWE/NVD/CNVD/CNNVD.

It depends on the size of the package, the network condition and the language.

From v1.0.11, we add aliyun mirror database as the backup to the official maven repository to solve the lag caused by network connection.

For v1.0.10 and below, if the time is abnormally long and error information about connection failure to the maven repository gets reported in the log file, users of versions between v1.0.6 and v1.0.10 can fix the problem by setting the maven field in config.json like below:

{
    "maven": [
        {
            "repo": "https://maven.aliyun.com/repository/public",
            "user": "",
            "password": ""
        }
    ]
}   

After setting, save config.json to the same folder of opensca-cli.exe and execute the command. Eg:

opensca-cli -url https://opensca.xmirror.cn -token {token} -path {path} -out output.html -config config.json

Users of v1.0.5 and below may have to modify the source code. We recommend an upgrade to higher versions.

For more other FAQs, please check FAQs.

ISSUEs are warmly welcome.

Add WeChat for further consults is also an option:

Our QQ Group: 832039395

Mailbox: [email protected]

• Tao Zhang
• Chi Zhang
• Zhong Chen
• Enzhi Liu
• Ge Ning

OpenSCA is an open source project, we appreciate your contribution!

To contribute, please read our Contributing Guideline.