{"id":13845279,"url":"https://github.com/fdl66/Golang_SCA","last_synced_at":"2025-07-12T01:32:29.583Z","repository":{"id":115438068,"uuid":"468765450","full_name":"fdl66/Golang_SCA","owner":"fdl66","description":"Golang SCA（Software Composition Analysis）   通过分析你的go.mod文件，协助你发现，Golang项目的依赖库是否存在漏洞","archived":false,"fork":false,"pushed_at":"2022-03-12T10:19:25.000Z","size":13,"stargazers_count":5,"open_issues_count":2,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-11-21T18:39:19.640Z","etag":null,"topics":["codescan","golang","software-composition-analysis","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fdl66.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-11T13:41:19.000Z","updated_at":"2024-09-20T07:20:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"561307f3-314b-4f4c-ad1c-2936e8187e4d","html_url":"https://github.com/fdl66/Golang_SCA","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fdl66/Golang_SCA","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdl66%2FGolang_SCA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdl66%2FGolang_SCA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdl66%2FGolang_SCA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdl66%2FGolang_SCA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fdl66","download_url":"https://codeload.github.com/fdl66/Golang_SCA/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdl66%2FGolang_SCA/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923076,"owners_count":23683717,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codescan","golang","software-composition-analysis","vulnerability-scanners"],"created_at":"2024-08-04T17:03:18.674Z","updated_at":"2025-07-12T01:32:29.563Z","avatar_url":"https://github.com/fdl66.png","language":"Python","readme":"## 功能\nGolang 依赖库 安全风险分析, 协助你快速发现 Golang依赖库的安全风险。\n\n原理：\n    \n    1. 从所有 go.mod 文件中解析出你依赖的所有库名和版本号。\n    2. 对获取到的库名和版本号进行去重。\n    3. 从缓存中查询（缓存72小时自动过期），是否已经有查询结果，有的话从缓存中取出。\n    4. 缓存中没有的话，需要实时的从 https://deps.dev/ 查询获取。\n\n\u003e TODO: deps.dev 支持的语言不止Golang，所以，后面本项目会持续扩展对Rust、Java、Python、Node.js的支持\n\n\n## 使用说明\n```bash\n# Input\n\n# file: go.mod文件\n# dir：包含任意go.mod文件的目录\n# 你需要指定你的go.mod文件，或者把你的go.mod文件全部复制到一个文件夹里面，然后指定这个目录即可。\n\npython3 golang_sca.py file/dir ...\n\neg:\n    python .\\golang_sca.py go.mod E:\\code\\py\\Golang_SCA\\input\n\n\n\n\n# Output\noutput/res.json\n\n```\n\n## 结果样例\n```json\n{\n    \"github.com/BurntSushi/toml v0.3.1\": {\n        \"name\": \"github.com/BurntSushi/toml\",\n        \"version\": \"v0.3.1\",\n        \"time\": 1647013364.285942,\n        \"advisories\": [] // 无漏洞风险\n    },\n    \"github.com/gin-gonic/gin v1.6.0\": {\n        \"name\": \"github.com/gin-gonic/gin\",\n        \"version\": \"v1.6.0\",\n        \"time\": 1647013967.5933473,\n        \"advisories\": [ // 安全风险列表\n            {\n                \"source\": \"GHSA\",\n                \"sourceID\": \"GHSA-h395-qcrw-5vmq\",\n                \"sourceURL\": \"https://github.com/advisories/GHSA-h395-qcrw-5vmq\",\n                \"title\": \"Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin\",\n                \"description\": \"This affects all versions of package github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.\",\n                \"referenceURLs\": [\n                    \"https://nvd.nist.gov/vuln/detail/CVE-2020-28483\",\n                    \"https://github.com/gin-gonic/gin/pull/2474%23issuecomment-729696437\",\n                    \"https://github.com/gin-gonic/gin/pull/2632\",\n                    \"https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711\",\n                    \"https://github.com/gin-gonic/gin/releases/tag/v1.7.0\",\n                    \"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736\",\n                    \"https://github.com/advisories/GHSA-h395-qcrw-5vmq\"\n                ],\n                \"severity\": \"HIGH\", // 高危风险\n                \"gitHubSeverity\": \"HIGH\",\n                \"scoreV3\": 7.1,\n                \"aliases\": [\n                    \"CVE-2020-28483\"\n                ],\n                \"disclosedAt\": 1624470801,\n                \"observedAt\": 1639539014\n            },\n            {\n                \"source\": \"OSV\",\n                \"sourceID\": \"GO-2021-0052\",\n                \"sourceURL\": \"https://osv.dev/vulnerability/GO-2021-0052\",\n                \"title\": \"GO-2021-0052\",\n                \"description\": \"Due to improper HTTP header santization, a malicious user can spoof their\\nsource IP address by setting the X-Forwarded-For header. This may allow\\na user to bypass IP based restrictions, or obfuscate their true source.\\n\",\n                \"referenceURLs\": [\n                    \"https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711\",\n                    \"https://github.com/gin-gonic/gin/pull/2474\",\n                    \"https://github.com/gin-gonic/gin/pull/2632\",\n                    \"https://go.googlesource.com/vulndb/+/refs/heads/master/reports/GO-2021-0052.yaml\",\n                    \"https://storage.googleapis.com/go-vulndb/byID/GO-2021-0052.json\"\n                ],\n                \"severity\": \"UNKNOWN\",\n                \"gitHubSeverity\": \"UNKNOWN\",\n                \"aliases\": [\n                    \"CVE-2020-28483\"\n                ],\n                \"disclosedAt\": 1618401600,\n                \"observedAt\": 1639517407\n            }\n        ]\n    },\n    \"github.com/influxdata/influx-cli/v2 v2.2.1-0.20211129214229-4c0fae3a4c0d\": {\n        \"name\": \"github.com/influxdata/influx-cli/v2\",\n        \"version\": \"v2.2.1-0.20211129214229-4c0fae3a4c0d\",\n        \"time\": 1647013967.5923712,\n        \"advisories\": []\n    },\n    \"gopkg.in/square/go-jose.v2 v2.3.1\": {\n        \"name\": \"gopkg.in/square/go-jose.v2\",\n        \"version\": \"v2.3.1\",\n        \"time\": 1647013967.5923712,\n        \"advisories\": []\n    },\n    \"github.com/burntsushi/toml v0.3.1\": {\n        \"name\": \"github.com/burntsushi/toml\",\n        \"version\": \"v0.3.1\",\n        \"time\": 1647013967.5913942,\n        \"advisories\": []\n    }\n}\n```\n\n\n\n\n## 依赖\n1. `requests(python3)`\n2. 致谢：`https://deps.dev/`\n\n\n\n\n\n\n\n## 如果这个项目对你有用的话，麻烦点颗小星星 ^_^  \n\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffdl66%2FGolang_SCA","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffdl66%2FGolang_SCA","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffdl66%2FGolang_SCA/lists"}