Google开源漏洞扫描器OSV-Scanner部署及使用
2022-12-15 本文已影响0人
負笈在线
一、OSV是什么?
OSV 是Google提供的一个开源项目的漏洞数据库和分类基础设施,旨在帮助开源项目的开发人员和用户应对开源项目漏洞。 对于开发人员,OSV 的自动化功能有助于减轻分类负担,每个漏洞都会经过自动分析,以确定受影响的提交和版本范围。
二、OSV-Scanner是什么?
OSV-Scanner是Google基于其提供的开源漏洞(OSV)模式和 OSV.dev 漏洞数据库服务,推出的一个免费的漏洞扫描器,可以在整个软件供应链中自动发现和修补漏洞。它声称这是最大的社区可编辑的开源漏洞数据库。OSV-Scanner 使开发者能够自动将代码和依赖关系与已知的漏洞列表相匹配,并确定是否有补丁或更新。
三、OSV-Scanner部署
0.环境状况
OS:AlmaLinux release 8.6 (Sky Tiger)
Go:go version go1.18.9 linux/amd64(要求1.18+)
HardWare:1C1G
1.Go install
# yum install curl
# yum install wget
# wget -c https://golang.google.cn/dl/go1.18.9.linux-amd64.tar.gz
选择合适的Go版本,要求1.18+
https://golang.google.cn/dl/
# tar -C /usr/local -xzf go1.18.9.linux-amd64.tar.gz
# cd /usr/local
# vi /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
# go version
go version go1.18.9 linux/amd64
国内使用,调整Go环境
# go env -w GOSUMDB="sum.golang.org"
# go env -w GO111MODULE=on
# go env -w GOPROXY=https://goproxy.cn,direct
2.OSV-Scanner install
# go install github.com/google/osv-scanner/cmd/osv-scanner@v1
# ln /root/go/bin/osv-scanner /usr/bin/osv-scanner
# osv-scanner --version
osv-scanner version: dev
commit: n/a
built at: n/a
四、OSV-Scanner使用
1.OSV-Scanner扫描目录
$ osv-scanner -r /path/to/your/dir
JSON格式输出
$ osv-scanner --json -r /path/to/your/dir
配置 osv-scanner,参考文件./go/pkg/mod/github.com/google/osv-scanner@v1.0.1/fixtures/testdatainner/osv-scanner.toml修改
$ osv-scanner --json --config=./go/pkg/mod/github.com/google/osv-scanner@v1.0.1/fixtures/testdatainner/osv-scanner.toml -r /path/to/your/dir
[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No ssh servers are connected to or hosted in Go lang"
id = "GO-2022-1059"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No external http servers are written in Go lang."
$ osv-scanner --json --config=./go/pkg/mod/github.com/google/osv-scanner@v1.0.1/fixtures/testdatainner/osv-scanner.toml -r /path/to/your/dir
参考例子
# osv-scanner --json -r /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/
Scanning dir /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many/Gemfile.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many/composer.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many/yarn.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many-with-invalid/Gemfile.lock file and found 1 packages
Attempted to scan lockfile but failed: /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many-with-invalid/composer.lock
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-many-with-invalid/yarn.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-one-with-nested/nested/composer.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/cmd/osv-scanner/fixtures/locks-one-with-nested/yarn.lock file and found 1 packages
Scanned /root/go/pkg/mod/github.com/google/osv-scanner@v1.0.1/go.mod file and found 18 packages
{
"results": []
}
2.OSV-Scanner扫描docker的镜像包
目前仅支持基于 Debian 的 docker 镜像扫描。
快速导入docker并拉取debain镜像
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum install docker-ce*
# docker search debain
# systemctl start docker
# systemctl enable docker
# cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"]
}
# systemctl restart docker
# docker info
# docker search debain
# docker pull 717160040/debain
# docker image list
OSV-Scanner扫描docker的镜像包
语法:osv-scanner --docker image_name:latest
# osv-scanner --docker 717160040/debain:latest --json >/root/717160040_debain.json
# cat /root/717160040_debain.json
"results": [
{
"source": {
"path": "717160040/debain:latest",
"type": "docker"
},
"packages": [
{
"package": {
"name": "apt",
"version": "1.4.8",
"ecosystem": "Debian"
},
"vulnerabilities": [
{
"schema_version": "1.3.0",
"id": "DLA-2487-1",
"modified": "2022-08-05T05:18:58.818593Z",
"published": "2020-12-10T00:00:00Z",
"aliases": [
"CVE-2020-27350"
],
"summary": "apt - security update",
"details": "\nIt was discovered that missing input validation in the ar/tar\nimplementations of APT, the high level package manager, could cause\nout-of-bounds reads or infinite loops, resulting in denial of service\nwhen processing malformed deb files.\n\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.4.11.\n\n\nWe recommend that you upgrade your apt packages.\n\n\nFor the detailed security status of apt please refer to\nits security tracker page at:\n\u003chttps://security-tracker.debian.org/tracker/apt\u003e\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: \u003chttps://wiki.debian.org/LTS\u003e\n\n\n",
"affected": [
{
"package": {
"ecosystem": "Debian:9",
"name": "apt",
"purl": "pkg:deb/debian/apt?arch=source"
},
....
3.OSV-Scanner扫描锁定文件
支持使用包 URL的SPDX和CycloneDX SBOM 。格式是根据输入文件内容自动检测的。
# osv-scanner --lockfile=/path/to/your/package-lock.json -L /path/to/another/Cargo.lock
Cargo.lock
package-lock.json
yarn.lock
pnpm-lock.yaml
composer.lock
Gemfile.lock
go.mod
mix.lock
poetry.lock
pubspec.lock
pom.xml*
requirements.txt*
gradle.lockfile
buildscript-gradle.lockfile
参考URL
https://github.com/google/osv-scanner/releases
https://github.com/google/osv-scanner
https://osv.dev/
https://osv.dev/list
