{"id":15127511,"url":"https://github.com/xmirrorsecurity/opensca-cli","last_synced_at":"2025-05-14T20:07:49.065Z","repository":{"id":38203822,"uuid":"442967758","full_name":"XmirrorSecurity/OpenSCA-cli","owner":"XmirrorSecurity","description":"OpenSCA is an open source software supply chain security solution that supports the detection of open source dependencies, vulnerabilities and license compliance with a widely noticed accuracy by the community. ","archived":false,"fork":false,"pushed_at":"2025-05-09T07:28:52.000Z","size":9124,"stargazers_count":1067,"open_issues_count":1,"forks_count":120,"subscribers_count":107,"default_branch":"master","last_synced_at":"2025-05-09T08:34:35.120Z","etag":null,"topics":["cyclonedx","devsecops","license-compliance","sbom","sca","security","software-bill-of-materials","software-composition-analysis","software-supply-chain","software-supply-chain-security","spdx","static-analysis","swid","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://opensca.xmirror.cn","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XmirrorSecurity.png","metadata":{"files":{"readme":".github/README.md","changelog":null,"contributing":"CONTRIBUTING-zh_CN.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-12-30T04:44:37.000Z","updated_at":"2025-05-09T07:42:15.000Z","dependencies_parsed_at":"2023-11-27T04:27:24.741Z","dependency_job_id":"732ad087-c31e-448e-8448-4cec5c3ef05d","html_url":"https://github.com/XmirrorSecurity/OpenSCA-cli","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2FOpenSCA-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2FOpenSCA-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2FOpenSCA-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XmirrorSecurity%2FOpenSCA-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XmirrorSecurity","download_url":"https://codeload.github.com/XmirrorSecurity/OpenSCA-cli/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254219373,"owners_count":22034397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","devsecops","license-compliance","sbom","sca","security","software-bill-of-materials","software-composition-analysis","software-supply-chain","software-supply-chain-security","spdx","static-analysis","swid","vulnerabilities"],"created_at":"2024-09-26T02:04:44.722Z","updated_at":"2025-05-14T20:07:49.057Z","avatar_url":"https://github.com/XmirrorSecurity.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n\t\u003cimg alt=\"logo\" src=\"/resources/logo.svg\"\u003e\n \u003ch2\u003eManage Open Source Risks via Open Source Solution\u003c/h2\u003e\n\u003c/div\u003e\n\n[![Release](https://img.shields.io/github/v/release/XmirrorSecurity/OpenSCA-cli)](https://github.com/XmirrorSecurity/OpenSCA-cli/releases)\n[![Jetbrains Plugin](https://img.shields.io/jetbrains/plugin/v/18246?label=Jetbrains%20Plugin)](https://plugins.jetbrains.com/plugin/18246-opensca-xcheck)\n[![VSCode Plugin](https://img.shields.io/visual-studio-marketplace/v/xmirror.opensca?label=VSCode%20Plugin)](https://marketplace.visualstudio.com/items?itemName=xmirror.opensca)\n[![LICENSE](https://img.shields.io/github/license/XmirrorSecurity/OpenSCA-cli)](https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/LICENSE)\n[![GitHub all releases](https://img.shields.io/github/downloads/XmirrorSecurity/OpenSCA-cli/total)](https://github.com/XmirrorSecurity/OpenSCA-cli/releases)\n[![Docker Pulls](https://img.shields.io/docker/pulls/opensca/opensca-cli)](https://hub.docker.com/r/opensca/opensca-cli)\n\n\u003c!--\n[![GitHub go.mod Go version (subdirectory of monorepo)](https://img.shields.io/github/go-mod/go-version/xmirrorsecurity/opensca-cli)](/go.mod)\n[![VSCode Plugin](https://vsmarketplacebadges.dev/version/xmirror.opensca.svg)](https://marketplace.visualstudio.com/items?itemName=xmirror.opensca)\n--\u003e\n\nEnglish|[中文](../README.md)\n\n- [Introduction](#introduction)\n- [Detection Ability](#detection-ability)\n- [Installation](#installation)\n - [Method 1: Download from Releases](#method-1-download-from-releases)\n - [Method 2: Use install script](#method-2-use-install-script)\n - [Method 3: Use package manager(Homebrew)](#method-3-use-package-managerhomebrew)\n - [Method 4: Build from source](#method-4-build-from-source)\n- [Use OpenSCA](#use-opensca)\n - [Parameters](#parameters)\n - [Report Formats](#report-formats)\n - [Sample](#sample)\n - [Scan \\\u0026 Report via Docker Container](#scan--report-via-docker-container)\n - [Local Vulnerability Database](#local-vulnerability-database)\n - [The Format of the Vulnerability Database File](#the-format-of-the-vulnerability-database-file)\n - [Explanations of Vulnerability Database Fields](#explanations-of-vulnerability-database-fields)\n - [Sample of Setting the Vulnerability Database](#sample-of-setting-the-vulnerability-database)\n- [FAQ](#faq)\n - [Is the environment variable needed while using OpenSCA?](#is-the-environment-variable-needed-while-using-opensca)\n - [About the vulnerability database?](#about-the-vulnerability-database)\n - [About the time cost of OpenSCA scanning?](#about-the-time-cost-of-opensca-scanning)\n- [Contact Us](#contact-us)\n- [Authors](#authors)\n- [Contributing](#contributing)\n\n\n## Introduction\n\nOpenSCA is intended for scanning third-party dependencies, vulnerabilities and licenses.\n\nOur website: [https://opensca.xmirror.cn](https://opensca.xmirror.cn)\n\nClick **STAR** to leave encouragement.\n\n------\n\n## Detection Ability\n\nOpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers. The team is now dedicated to introducing more languages and enriching the parsing of relevant configuration files gradually.\n\n| LANGUAGE | PACKAGE MANAGER | FILE |\n| ------------ | --------------- |---------------------------------------------------------------------------------------------------------------------------------------------------|\n| `Java` | `Maven` | `pom.xml` |\n| `Java` | `Gradle` | `.gradle` `.gradle.kts` |\n| `JavaScript` | `Npm` | `package-lock.json` `package.json` `yarn.lock` |\n| `PHP` | `Composer` | `composer.json` `composer.lock` |\n| `Ruby` | `gem` | `gemfile.lock` |\n| `Golang` | `gomod` | `go.mod` `go.sum` `Gopkg.toml` `Gopkg.lock` |\n| `Rust` | `cargo` | `Cargo.lock` |\n| `Erlang` | `Rebar` | `rebar.lock` |\n| `Python` | `Pip` | `Pipfile` `Pipfile.lock` `setup.py` `requirements.txt` `requirements.in`(For the latter two, pipenv environment \u0026 internet connection are needed) |\n\n## Installation\n\nOpenSCA-cli is available for Windows, Linux and MacOS. The installation method is as follows:\n\n### Method 1: Download from Releases\n\n1. Download the appropriate executable file according to your system architecture from [releases](https://github.com/XmirrorSecurity/OpenSCA-cli/releases).\n2. Unzip the downloaded file and run `opensca-cli` directly.\n\n### Method 2: Use install script\n\n- For Mac/Linux Users\n ```shell\n curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh\n\n # Try this when internet connection fails\n curl -sSL https://gitee.com/XmirrorSecurity/OpenSCA-cli/raw/master/scripts/install.sh | sh -s -- gitee\n ```\n- For Windows Users(need PowerShell)\n ```powershell\n iex \"\u0026{$(irm https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.ps1)}\"\n\n # Try this when internet connection fails\n iex \"\u0026{$(irm https://gitee.com/XmirrorSecurity/OpenSCA-cli/raw/master/scripts/install.ps1)} gitee\"\n ```\n\n### Method 3: Use package manager(Homebrew)\n```shell\nbrew install opensca-cli\n```\n\n### Method 4: Build from source\n\nClone the source code and compile (`go 1.18` and above is needed)\n\n```shell\n# github linux/mac\ngit clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca \u0026\u0026 cd opensca \u0026\u0026 go build\n# gitee linux/mac\ngit clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca \u0026\u0026 cd opensca \u0026\u0026 go build\n# github windows\ngit clone https://github.com/XmirrorSecurity/OpenSCA-cli.git opensca ; cd opensca ; go build\n# gitee windows\ngit clone https://gitee.com/XmirrorSecurity/OpenSCA-cli.git opensca ; cd opensca ; go build\n```\n\nThe default option is to generate the program of the current system architecture. If you want to try it for other system architectures, you can set the following environment variables before compiling.\n\n- Disable `CGO_ENABLED` `CGO_ENABLED=0`\n- Set the operating system `GOOS=${OS} \\\\ darwin,liunx,windows`\n- Set the architecture `GOARCH=${arch} \\\\ amd64,arm64`\n\n## Use OpenSCA\n\n### Parameters\n\n| PARAMETER | TYPE | Descripation | SAMPLE |\n| ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `config` | `string` | Set the path of the configuration file | `-config config.json` |\n| `path` | `string` | Set the path of the target file or directory | `-path ./foo` | \n| `out` | `string` | Save the result to the specified file whose format is defined by the suffix | `-out out.json, out.html` |\n| `log` | `string` | Specify the path of log file | `-log my_log.txt` |\n| `token` | `string` | Cloud service verification from our offical website | `-token xxx` |\n| `proj` | `string` | SaaS project `token` to sync report with [OpenSCA SaaS](https://opensca.xmirror.cn/console) | `-proj xxx` |\n\nFrom v3.0.0, apart from these parameters available for CMD/CRT, there are also others for different requirements which have to be set in the configuration file. \n\nFull introduction about each parameters can be found in `config.json`\n\nv3.0.2 and above allows OpenSCA-cli to snyc reports with OpenSCA SaaS (via `proj`), so that all reports of multiple projects can be managed together.\n\nIf the configuration parameter conflicts with the command-line input parameter, the latter will be taken.\n\nWhen there's no configuration file in the set path, one in default settings will be generated there.\n\nIf no path of configuration file is set, the following ones will be checked:\n\n 1. `config.json` under the working directory\n 2. `opensca_config.json` under the user directory\n 3. `config.json` under `opensca-cli` directory\n\nFrom v3.0.0, `url` has been put in the configuration file. The default set goes to our cloud vulnerability database. Other online database in accordance with our database structure can also be set through configuration file. \n\nUsing previous versions to connect the cloud databse will still need the setting of `url`, which could be done via both CMD and configuration file. Example: `-url https://opensca.xmirror.cn`\n\n### Report Formats\n\nFiles supported by the `out` parameter are listed below:\n\n| TYPE | FORMAT | SPECIFIED SUFFIX | VERSION |\n| ------ | ------ | -------------------------------- | ------------------ |\n| REPORT | `json` | `.json` | `*` |\n| | `xml` | `.xml` | `*` |\n| | `html` | `.html` | `v1.0.6` and above |\n| | `sqlite` | `.sqlite` | `v1.0.13` and above|\n| | `csv` | `.csv` | `v1.0.13` and above|\n| | `sarif`| `.sarif` | |\n| SBOM | `spdx` | `.spdx` `.spdx.json` `.spdx.xml` | `v1.0.8` and above |\n| | `cdx` | `.cdx.json` `.cdx.xml` | `v1.0.11`and above |\n| | `swid` | `.swid.json` `.swid.xml` | `v1.0.11`and above |\n| | `dsdx` | `.dsdx` `.dsdx.json` `.dsdx.xml` | `v3.0.0`and above |\n\n### Sample\n\n```shell\n# Use opensca-cli to scan with CMD parameters:\nopensca-cli -path ${project_path} -config ${config_path} -out ${filename}.${suffix} -token ${token}\n\n# Start scanning after setting down the configuration file:\nopensca-cli\n```\n\n#### Scan \u0026 Report via Docker Container\n\n```shell\n# Detect dependencies in the current directory:\ndocker run -ti --rm -v ${PWD}:/src opensca/opensca-cli\n\n# Connect to the cloud vulnerability database:\ndocker run -ti --rm -v ${PWD}:/src opensca/opensca-cli -token ${put_your_token_here}\n```\n\nYou can also use the configuration file for advanced settings. Save `config.json` to the mounted directory of `src` or set other paths within the container through `-config`. The writing method for mounting the current directory on different terminals varies, we list common ones here FYI:\n\n| terminal | pwd |\n| ------------ | --------------------- |\n| `bash` | `$(pwd)` |\n| `zsh` | `${PWD}` |\n| `cmd` | `%cd%` |\n| `powershell` | `(Get-Location).Path` |\n\nFor more information, visit [Docker Hub Page](https://hub.docker.com/r/opensca/opensca-cli)\n\n### Local Vulnerability Database\n\n#### The Format of the Vulnerability Database File\n\n```json\n[\n {\n \"vendor\": \"org.apache.logging.log4j\",\n \"product\": \"log4j-core\",\n \"version\": \"[2.0-beta9,2.12.2)||[2.13.0,2.15.0)\",\n \"language\": \"java\",\n \"name\": \"Apache Log4j2 远程代码执行漏洞\",\n \"id\": \"XMIRROR-2021-44228\",\n \"cve_id\": \"CVE-2021-44228\",\n \"cnnvd_id\": \"CNNVD-202112-799\",\n \"cnvd_id\": \"CNVD-2021-95914\",\n \"cwe_id\": \"CWE-502,CWE-400,CWE-20\",\n \"description\": \"Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。\\r\\nApache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。\",\n \"description_en\": \"Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\",\n \"suggestion\": \"2.12.1及以下版本可以更新到2.12.2,其他建议更新至2.15.0或更高版本,漏洞详情可参考:https://github.com/apache/logging-log4j2/pull/608 \\r\\n1、临时解决方案,适用于2.10及以上版本:\\r\\n\\t(1)设置jvm参数:“-Dlog4j2.formatMsgNoLookups=true”;\\r\\n\\t(2)设置参数:“log4j2.formatMsgNoLookups=True”;\",\n \"attack_type\": \"远程\",\n \"release_date\": \"2021-12-10\",\n \"security_level_id\": 1,\n \"exploit_level_id\": 1\n }\n]\n```\n\n#### Explanations of Vulnerability Database Fields\n\n| FIELD | Descripation | REQUIRED OR NOT |\n| ------------------- | ----------------------------------------------------------------- | --------------- |\n| `vendor` | the manufacturer of the component | N |\n| `product` | the name of the component | Y |\n| `version` | the versions of the component affected by the vulnerability | Y |\n| `language` | the programming language of the component | Y |\n| `name` | the name of the vulnerability | N |\n| `id` | custom identifier | Y |\n| `cve_id` | cve identifier | N |\n| `cnnvd_id` | cnnvd identifier | N |\n| `cnvd_id` | cnvd identifier | N |\n| `cwe_id` | cwe identifier | N |\n| `description` | the descripation of the vulnerability | N |\n| `description_en` | the descripation of the vulnerability in English | N |\n| `suggestion` | the suggestion for fixing the vulnerability | N |\n| `attack_type` | the type of attack | N |\n| `release_date` | the release date of the vulnerability | N |\n| `security_level_id` | the security level of the vulnerability (diminishing from 1 to 4) | N |\n| `exploit_level_id` | the exploit level of the vulnerability (0-N/A 1-Available) | N |\n\n*There are several pre-set values to the \"language\" field, including java, javascript, golang, rust, php, ruby and python. Other languages are not limited to the pre-set value.\n\n#### Sample of Setting the Vulnerability Database\n\n```json\n{\n \"origin\":{\n \"json\":\"db.json\",\n \"mysql\":{\n \"dsn\":\"user:password@tcp(ip:port)/dbname\",\n \"table\":\"table_name\"\n },\n \"sqlite\":{\n \"dsn\":\"sqlite.db\",\n \"table\":\"table_name\"\n }\n }\n}\n```\n\n## FAQ\n\n### Is the environment variable needed while using OpenSCA?\n\nNo. OpenSCA can be directly executed by the command in CLI/CRT after decompression.\n\n### About the vulnerability database?\n\nOpenSCA allows configuring the local vulnerability database. It has to be sorted according to *the Format of the Vulnerability Database File*.\n\nMeanwhile, OpenSCA also offers a cloud vulnerability database covering official databases including CVE/CWE/NVD/CNVD/CNNVD.\n\n### About the time cost of OpenSCA scanning?\n\nIt depends on the size of the package, the network condition and the language.\n\nFrom v1.0.11, we add aliyun mirror database as the backup to the official maven repository to solve the lag caused by network connection.\n\nFor v1.0.10 and below, if the time is abnormally long and error information about connection failure to the maven repository gets reported in the log file, users of versions between v1.0.6 and v1.0.10 can fix the problem by setting the `maven` field in `config.json` like below:\n\n```json\n{\n \"maven\": [\n {\n \"repo\": \"https://maven.aliyun.com/repository/public\",\n \"user\": \"\",\n \"password\": \"\"\n }\n ]\n} \n```\n\nAfter setting, save `config.json` to the same folder of opensca-cli.exe and execute the command. Eg:\n\n```shell\nopensca-cli -token {token} -path {path} -out output.html -config config.json\n```\n\nUsers of v1.0.5 and below may have to modify the source code. We recommend an upgrade to higher versions.\n\nFor more other FAQs, please check [FAQs](https://opensca.xmirror.cn/docs/v1/FAQ.html).\n\n## Contact Us\n\nISSUEs are warmly welcome.\n\nAdd WeChat for further consults is also an option:\n\n![QR Code](/resources/wechat.png)\n\nOur QQ Group: 832039395\n\nMailbox: opensca@anpro-tech.com\n\n## Authors\n\n- Tao Zhang\n- Chi Zhang\n- Zhong Chen\n- Enzhi Liu\n- Ge Ning\n\n## Contributing\n\nOpenSCA is an open source project, we appreciate your contribution!\n\nTo contribute, please read our [Contributing Guideline](../docs/Contributing_Guideline-v1.0.md).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmirrorsecurity%2Fopensca-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxmirrorsecurity%2Fopensca-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxmirrorsecurity%2Fopensca-cli/lists"}