scalibr

package module

v0.1.1 Latest Latest Go to latest Published: Jun 7, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/osv-scalibr

Links

Open Source Insights

README ¶

OSV-SCALIBR

Note: The code in this repo is subject to change in the near future as we're merging SCALIBR with OSV-scanner to provide a single tool that unifies the two scanners' extraction and vuln scanning capabilities.

SCALIBR (Software Composition Analysis Library) is an extensible file system scanner used to extract software inventory data (e.g. installed language packages) and detect vulnerabilities.

The scanner can either be used as a standalone binary to scan the local machine or as a library with a custom wrapper to perform scans on e.g. container images or remote hosts. It comes with built-in plugins for inventory extraction and vulnerability detection and it also allows users to run their custom plugins.

See here for the list of currently supported software inventory types.

Prerequisites

To build SCALIBR, you'll need to have the following installed:

go: Follow https://go.dev/doc/install
protoc: Install the appropriate precompiled protoc binary.
- For Mac, you can also install via HomeBrew.
protoc-gen-go: Run go install google.golang.org/protobuf/cmd/protoc-gen-go

How to use

As a standalone binary

make
./scalibr --result=result.textproto

See the result proto definition for details about the scan result format.

Run ./scalibr --help for a list of additional CLI args.

As a library:

Import github.com/google/osv-scalibr into your Go project
Create a new scalibr.ScanConfig struct, configure the extraction and detection plugins to run
Call scalibr.New().Scan() with the config
Parse the returned scalibr.ScanResults

See below for an example code snippet.

On a container image

See the run_scalibr_on_image.sh script for an example of how to run SCALIBR on container images.

SPDX generation

SCALIBR supports generating the result of inventory extraction as an SPDX v2.3 file in json, yaml or tag-value format. Example usage:

./scalibr -o spdx23-json=result.spdx.json

Some fields in the generated SPDX can be overwritten:

./scalibr -spdx-document-name="Custom name" --spdx-document-namespace="Custom-namespace" --spdx-creators=Organization:Google -o spdx23-json=result.spdx.json

Running built-in plugins

With the standalone binary

The binary runs SCALIBR's "recommended" internal plugins by default. You can enable more plugins with the --extractors= and --detectors= flags. See the the definition files for a list of all built-in plugins and their CLI flags (extractors (fs), detectors).

With the library

A collection of all built-in plugin modules can be found in the definition files (extractors, detectors). To enable them, just import the module and add the appropriate plugins to the scan config, e.g.

import (
  scalibr "github.com/google/osv-scalibr"
  el "github.com/google/osv-scalibr/extractor/filesystem/list"
  dl "github.com/google/osv-scalibr/detector/list"
)
cfg := &scalibr.ScanConfig{
  ScanRoot:             "/",
  FilesystemExtractors: el.Python,
  Detectors:            dl.CIS,
}
results := scalibr.New().Scan(context.Background(), cfg)

Creating + running custom plugins

Custom plugins can only be run when using SCALIBR as a library.

Create an implementation of the SCALIBR Extractor or Detector interface.
Add the newly created struct to the scan config and run the scan, e.g.

import (
  "github.com/google/osv-scalibr/extractor/filesystem"
  scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{
  ScanRoot:             "/",
  FilesystemExtractors: []extractor.Extractor{&myExtractor{}},
}
results := scalibr.New().Scan(context.Background(), cfg)

Custom logging

You can make the SCALIBR library log using your own custom logger by passing an implementation of the log.Logger interface to log.SetLogger():

import (
  customlog "path/to/custom/log"
  "github.com/google/osv-scalibr/log"
  scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{ScanRoot: "/"}
log.SetLogger(&customlog.Logger{})
results := scalibr.New().Scan(context.Background(), cfg)
log.Info(results)

Contributing

Read how to contribute to SCALIBR.

Disclaimers

SCALIBR is not an official Google product.

Documentation ¶

Overview ¶

Package scalibr provides an interface for running software inventory extraction and security finding detection on a machine.

Index ¶

type ScanConfig
- func (cfg *ScanConfig) EnableRequiredExtractors() error
type ScanResult
type Scanner
- func New() *Scanner
- func (Scanner) Scan(ctx context.Context, config *ScanConfig) (sr *ScanResult)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ScanConfig ¶

type ScanConfig struct {
	FilesystemExtractors []filesystem.Extractor
	StandaloneExtractors []standalone.Extractor
	Detectors            []detector.Detector
	// ScanRoot is the root dir used by file walking during extraction.
	// All extractors and detectors will assume files are relative to this dir.
	// Example use case: Scanning a container image or source code repo that is
	// mounted to a local dir.
	ScanRoot string
	// Optional: Individual files to extract inventory from. If specified, the
	// extractors will only look at these files during the filesystem traversal.
	// Note that these are not relative to ScanRoot and thus need to be in
	// sub-directories of ScanRoot.
	FilesToExtract []string
	// Optional: Directories that the file system walk should ignore.
	// Note that these are not relative to ScanRoot and thus need to be
	// sub-directories of ScanRoot.
	// TODO(b/279413691): Also skip local paths, e.g. "Skip all .git dirs"
	DirsToSkip []string
	// Optional: If the regex matches a directory, it will be skipped.
	SkipDirRegex *regexp.Regexp
	// Optional: stats allows to enter a metric hook. If left nil, no metrics will be recorded.
	Stats stats.Collector
	// Optional: Whether to read symlinks.
	ReadSymlinks bool
	// Optional: Limit for visited inodes. If 0, no limit is applied.
	MaxInodes int
}

ScanConfig stores the config settings of a scan run such as the plugins to use and the dir to consider the root of the scanned system.

func (*ScanConfig) EnableRequiredExtractors ¶ added in v0.1.1

func (cfg *ScanConfig) EnableRequiredExtractors() error

EnableRequiredExtractors adds those extractors to the config that are required by enabled detectors but have not been explicitly enabled.

type ScanResult ¶

type ScanResult struct {
	Version   string
	StartTime time.Time
	EndTime   time.Time
	// Status of the overall scan.
	Status *plugin.ScanStatus
	// Status and versions of the inventory+vuln plugins that ran.
	PluginStatus []*plugin.Status
	Inventories  []*extractor.Inventory
	Findings     []*detector.Finding
}

ScanResult stores the software inventory and security findings that a scan run found.

type Scanner ¶

type Scanner struct{}

Scanner is the main entry point of the scanner.

func New ¶

func New() *Scanner

New creates a new scanner instance.

func (Scanner) Scan ¶

func (Scanner) Scan(ctx context.Context, config *ScanConfig) (sr *ScanResult)

Scan executes the extraction and detection using the provided scan config.

Source Files ¶

View all Source files

scalibr.go

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
binary The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem.	The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem.
cli Package cli defines the structures to store the CLI flags used by the scanner binary.	Package cli defines the structures to store the CLI flags used by the scanner binary.
proto Package proto provides protobuf related utilities for the SCALIBR binary.	Package proto provides protobuf related utilities for the SCALIBR binary.
proto/scan_result_go_proto
scanrunner Package scanrunner provides the main function for running a scan with the SCALIBR binary.	Package scanrunner provides the main function for running a scan with the SCALIBR binary.
spdx Package spdx provides utilities for writing SPDX documents to the filesystem.	Package spdx provides utilities for writing SPDX documents to the filesystem.
converter Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats.	Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats.
detector Package detector provides the interface for security-related detection plugins.	Package detector provides the interface for security-related detection plugins.
cis/generic_linux/etcpasswdpermissions Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check.	Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check.
cve/cve202338408 Package cve202338408 implements a detector for CVE-2023-38408.	Package cve202338408 implements a detector for CVE-2023-38408.
cve/cve202338408/semantic Package semantic provides version comparison.	Package semantic provides version comparison.
govulncheck/binary Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem.	Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem.
list Package list provides a public list of SCALIBR-internal detection plugins.	Package list provides a public list of SCALIBR-internal detection plugins.
weakcredentials/etcshadow Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow.	Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow.
extractor Package extractor provides the common interface for standalone and filesystem extractors.	Package extractor provides the common interface for standalone and filesystem extractors.
filesystem Package filesystem provides the interface for inventory extraction plugins.	Package filesystem provides the interface for inventory extraction plugins.
filesystem/internal Package internal contains miscellaneous functions and objects useful within Scalibr	Package internal contains miscellaneous functions and objects useful within Scalibr
filesystem/internal/units Package units provides constants for common units.	Package units provides constants for common units.
filesystem/language/dotnet/packageslockjson Package packageslockjson extracts packages.lock.json files.	Package packageslockjson extracts packages.lock.json files.
filesystem/language/golang/gobinary Package gobinary extracts packages from buildinfo inside go binaries files.	Package gobinary extracts packages from buildinfo inside go binaries files.
filesystem/language/java/archive Package archive extracts Java archive files.	Package archive extracts Java archive files.
filesystem/language/javascript/packagejson Package packagejson extracts package.json files.	Package packagejson extracts package.json files.
filesystem/language/javascript/packagelockjson Package packagelockjson extracts package-lock.json files.	Package packagelockjson extracts package-lock.json files.
filesystem/language/python/requirements Package requirements extracts requirements files.	Package requirements extracts requirements files.
filesystem/language/python/wheelegg Package wheelegg extracts wheel and egg files.	Package wheelegg extracts wheel and egg files.
filesystem/language/ruby/gemspec Package gemspec extracts *.gemspec files.	Package gemspec extracts *.gemspec files.
filesystem/list Package list provides a public list of SCALIBR-internal extraction plugins.	Package list provides a public list of SCALIBR-internal extraction plugins.
filesystem/os/apk Package apk extracts packages from the APK database.	Package apk extracts packages from the APK database.
filesystem/os/cos Package cos extracts OS packages from Container Optimized OSes (go/cos).	Package cos extracts OS packages from Container Optimized OSes (go/cos).
filesystem/os/dpkg Package dpkg extracts packages from dpkg database.	Package dpkg extracts packages from dpkg database.
filesystem/os/osrelease Package osrelease parses the os-release file.	Package osrelease parses the os-release file.
filesystem/os/rpm Package rpm extracts packages from rpm database.	Package rpm extracts packages from rpm database.
filesystem/osv Package osv provides a Wrapper for osv plugins.	Package osv provides a Wrapper for osv plugins.
filesystem/sbom/spdx Package spdx extracts software dependencies from an SPDX SBOM.	Package spdx extracts software dependencies from an SPDX SBOM.
standalone Package standalone provides a way to extract in a standalone mode (e.g.	Package standalone provides a way to extract in a standalone mode (e.g.
standalone/list Package list contains the list of all standalone extractors.	Package list contains the list of all standalone extractors.
standalone/windows/common/winproducts Package winproducts contains information about Windows products.	Package winproducts contains information about Windows products.
standalone/windows/dismpatch
standalone/windows/dismpatch/dismparser Package dismparser has methods that can be used to parse DISM output	Package dismparser has methods that can be used to parse DISM output
standalone/windows/ospackages
standalone/windows/regosversion
standalone/windows/regpatchlevel
inventoryindex Package inventoryindex is a wrapper around the collected inventory, which provides methods for fast lookup of identified software.	Package inventoryindex is a wrapper around the collected inventory, which provides methods for fast lookup of identified software.
log Package log defines SCALIBR's logger interface.	Package log defines SCALIBR's logger interface.
plugin Package plugin collects the common code used by extractor and detector plugins.	Package plugin collects the common code used by extractor and detector plugins.
purl Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation.	Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation.
stats Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr.	Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr.
testing
fakedetector Package fakedetector provides a Detector implementation to be used in tests.	Package fakedetector provides a Detector implementation to be used in tests.
fakeextractor Package fakeextractor provides a Extractor implementation to be used in tests.	Package fakeextractor provides a Extractor implementation to be used in tests.