一、前言
2022年底,谷歌开源OSV-Scanner,该开源工具可检测Python、Java、Go、Ruby等主流语言和Linux的发行版本(Debian、Alpine)的依赖项是否存在漏洞,OSV-Scanner工具是基于Go语言编写,底层使用开源OSV漏洞数据库,对于开发者来说,OSV-Scanner可以很方便的检查项目依赖漏洞并确定受影响的软件版本范围。Google表示OSV-Scanner 工具将是加强软体供应链安全的一个重要工具。
二、安装
2.1 方式一:二进制文件
可以从github发布页面下载https://github.com/google/osv-scanner/releases,找到适用于Linux、macOS、Windows的二进制文件,直接运行即可。
2.2 方式二:包管理器
homebrew的用户可以直接使用brew命令安装
brew install osv-scanner
Arch Linux 用户可以直接从官方仓库安装
pacman -S osv-scanner
2.3 方式三:源代码安装
go install github.com/google/osv-scanner/cmd/osv-scanner@v1
三、使用
OSV-Scanner 通过收集项目中使用的依赖和版本,然后调用osv.dev(开源漏洞数据库) 的API进行匹配。
3.1 扫描目录
使用OSV-Scanner扫描目录,主要是通过寻找 Lockfiles、SBOM和最新提交commit的git目录
“
搜索git commit hash 是为了处理使用 git 子模块或类似机制的项目,其中依赖项作为真正的 git 存储库检出。
”
osv-scanner -r /path/to/your/dir
–recursive 含义递归遍历子目录-r。
3.2 扫描SBOM
SBOM(软件物料清单),SBOM 是一种正式的结构化记录,它不仅详细说明了软件产品的组件,还描述了其供应链关系。SBOM 概述了哪些包和库进入了你的应用程序,以及这些包和库与其他上游项目之间的关系——这在涉及重用代码和开源时尤为重要。主要的SBOM格式是软件包数据交换(SPDX)和CycloneDX,它们都被用于安全用例。SPDX是Linux基金会的一个项目,它的主要目标是为软件包相关的信息创建一个标准的数据交换格式。英特尔、微软、西门子和索尼等大公司都参与了SPDX社区。到目前为止,最新的SPDX规范是版本2.2.2。特定的字段和部分必须被认为是有效的SPDX文档。CycloneDX是一个轻量级的SBOM标准,设计用于应用程序安全上下文和供应链组件分析。该规范的战略方向和维护由CycloneDX Core工作组管理,该工作组起源于长期的安全社区领导者开放Web应用程序安全项目(OWASP)。CycloneDX的独特之处在于它被设计成BOM格式,并满足各种用例,包括软件即服务BOM (SaaSBOM)。
osv-scanner --sbom=/path/to/your/sbom.json
3.3 扫描Lockfile
目前支持以下lockfiles文件:
-
buildscript-gradle.lockfile -
Cargo.lock -
composer.lock -
Gemfile.lock -
go.mod -
gradle.lockfile -
mix.lock -
package-lock.json -
packages.lock.json -
Pipfile.lock -
pnpm-lock.yaml -
poetry.lock -
pom.xml* -
pubspec.lock -
requirements.txt* -
yarn.lock -
/lib/apk/db/installed (Alpine)
$ osv-scanner --lockfile=/path/to/your/package-lock.json --lockfile=/path/to/another/yarn.lock
3.4 扫描基于Debian的Docker镜像
目前仅支持基于 Debian 的 docker 镜像扫描。OSV-Scanner通过抓取 Debian j镜像中已安装软件包的列表并查询它们的漏洞,需要安装docker并有调用docker的权限。
osv-scanner --docker image_name:latest
3.5 配置文件
进行配置的时候,可以创建osv-scanner.toml文件在待扫描的目录里,也可以直接命令行里--config=/path/to/config.toml,当命令行里–config指定配置的时候,优先级将会超过在目录文件里编写的osv-scanner.toml 例如,要通过ID 忽略漏洞,添加到期日期和原因(非必填),可以如下方式编写
[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No ssh servers are connected to or hosted in Go lang"
[[IgnoredVulns]]
id = "GO-2022-1059"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No external http servers are written in Go lang."
3.6 输出
默认情况下,OSV-Scanner 扫描结果将会输出表格。要让OSV-Scanner 输出 JSON,在命令行时添加–json标志即可。使用 –json 标志时,只有 JSON 输出会打印到 stdout,所有其他输出都被定向到 stderr。所以只保存 json 输出到文件,可以重定向输出OSV-Scanner –json … > /path/to/file.json
{
"results": [
{
"source": {
"path": "/Users/admin/Workspace/ip-whois/go.mod",
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "github.com/dgrijalva/jwt-go",
"version": "3.2.0+incompatible",
"ecosystem": "Go"
},
"vulnerabilities": [
{
"schema_version": "1.3.0",
"id": "GHSA-w73w-5m7g-f7qc",
"modified": "2023-02-07T21:29:32Z",
"published": "2021-05-18T21:08:21Z",
"aliases": [
"CVE-2020-26160"
],
"summary": "Authorization bypass in github.com/dgrijalva/jwt-go",
"details": "jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgrijalva/jwt-go",
"purl": "pkg:golang/github.com/dgrijalva/jwt-go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.0"
}
]
}
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w73w-5m7g-f7qc/GHSA-w73w-5m7g-f7qc.json"
}
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgrijalva/jwt-go/v4",
"purl": "pkg:golang/github.com/dgrijalva/jwt-go/v4"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-preview1"
}
]
}
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w73w-5m7g-f7qc/GHSA-w73w-5m7g-f7qc.json"
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/issues/422"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/issues/462"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/pull/426"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgrijalva/jwt-go"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0017"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515"
}
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T20:54:59Z",
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "HIGH"
}
},
{
"schema_version": "1.3.0",
"id": "GO-2020-0017",
"modified": "2022-11-21T19:50:45Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2020-26160",
"GHSA-w73w-5m7g-f7qc"
],
"summary": "",
"details": "If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.",
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgrijalva/jwt-go",
"purl": "pkg:golang/github.com/dgrijalva/jwt-go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-20150717181359-44718f8a89b0"
}
]
}
],
"database_specific": {
"source": "https://vuln.go.dev/ID/GO-2020-0017.json",
"url": "https://pkg.go.dev/vuln/GO-2020-0017"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dgrijalva/jwt-go",
"symbols": [
"MapClaims.VerifyAudience"
]
}
]
}
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgrijalva/jwt-go/v4",
"purl": "pkg:golang/github.com/dgrijalva/jwt-go/v4"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-preview1"
}
]
}
],
"database_specific": {
"source": "https://vuln.go.dev/ID/GO-2020-0017.json",
"url": "https://pkg.go.dev/vuln/GO-2020-0017"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/dgrijalva/jwt-go/v4",
"symbols": [
"MapClaims.VerifyAudience"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
},
{
"type": "WEB",
"url": "https://github.com/dgrijalva/jwt-go/issues/422"
}
]
}
],
"groups": [
{
"ids": [
"GHSA-w73w-5m7g-f7qc",
"GO-2020-0017"
]
}
]
},
]
}
]
}
四、展望
谷歌的软件工程师分享了OSV-Scanner后续规划,后续可能提供独立的CI操作,方便用户集成到工作流中,另外正在寻求通过向CVE添加精确的元数据来构建高质量的C/C++漏洞库来改进C和C++的支持,你最期待哪项功能呢?
原文始发于微信公众号(洋洋自语):开源漏洞识别工具OSV-Scanner
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/273121.html
