README
¶
OSV-SCALIBR
Note: The code in this repo is subject to change in the near future as we're merging SCALIBR with OSV-scanner to provide a single tool that unifies the two scanners' extraction and vuln scanning capabilities.
SCALIBR (Software Composition Analysis Library) is an extensible file system scanner used to extract software inventory data (e.g. installed language packages) and detect vulnerabilities.
The scanner can either be used as a standalone binary to scan the local machine or as a library with a custom wrapper to perform scans on e.g. container images or remote hosts. It comes with built-in plugins for inventory extraction and vulnerability detection and it also allows users to run their custom plugins.
See the list of currently supported software inventory types.
Prerequisites
To build SCALIBR, you'll need to have go installed. Follow https://go.dev/doc/install.
How to use
As a standalone binary
Note: This binary is a thin wrapper around the OSV-SCALIBR library. In the near future the osv-scanner CLI will make all capabilities of OSV-SCALIBR available with convenience features such as vuln matching through OSV.dev.
go install github.com/google/osv-scalibr/binary/scalibr@latestscalibr --result=result.textproto
See the result proto definition for details about the scan result format.
Run scalibr --help for a list of additional CLI args.
As a library:
- Import
github.com/google/osv-scalibrinto your Go project - Create a new scalibr.ScanConfig struct, configure the extraction and detection plugins to run
- Call
scalibr.New().Scan()with the config - Parse the returned scalibr.ScanResults
See below for an example code snippet.
On a container image
Add the --remote-image flag to scan a remote container image. Example:
scalibr --result=result.textproto --remote-image=alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
SPDX generation
SCALIBR supports generating the result of inventory extraction as an SPDX v2.3 file in json, yaml or tag-value format. Example usage:
scalibr -o spdx23-json=result.spdx.json
Some fields in the generated SPDX can be overwritten:
scalibr -spdx-document-name="Custom name" --spdx-document-namespace="Custom-namespace" --spdx-creators=Organization:Google -o spdx23-json=result.spdx.json
Running built-in plugins
With the standalone binary
The binary runs SCALIBR's "recommended" internal plugins by default. You can enable more plugins with the --extractors= and --detectors= flags. See the definition files for a list of all built-in plugins and their CLI flags (extractors (fs), detectors).
With the library
A collection of all built-in plugin modules can be found in the definition files (extractors, detectors). To enable them, just import the module and add the appropriate plugins to the scan config, e.g.
import (
scalibr "github.com/google/osv-scalibr"
el "github.com/google/osv-scalibr/extractor/filesystem/list"
dl "github.com/google/osv-scalibr/detector/list"
)
cfg := &scalibr.ScanConfig{
Root: "/",
FilesystemExtractors: el.Python,
Detectors: dl.CIS,
}
results := scalibr.New().Scan(context.Background(), cfg)
Creating + running custom plugins
Custom plugins can only be run when using SCALIBR as a library.
- Create an implementation of the SCALIBR Extractor or Detector interface.
- Add the newly created struct to the scan config and run the scan, e.g.
import (
"github.com/google/osv-scalibr/extractor/filesystem"
scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{
Root: "/",
FilesystemExtractors: []extractor.Extractor{&myExtractor{}},
}
results := scalibr.New().Scan(context.Background(), cfg)
A note on cross-platform
SCALIBR is compatible with Linux and has experimental support for Windows and Mac. When a new plugin is implemented for SCALIBR, we need to ensure that it will not break other platforms. Our runners will generally catch compatibility issue, but to ensure everything is easy when implementing a plugin, here are a few recommendations to keep in mind:
- Ensure you work with file paths using the
filepathlibrary. For example, avoid using/my/pathbut preferfilepath.Join('my', 'path')instead. - If the plugin can only support one system (e.g. a windows-specific
detector), the layout will generally be to have two versions of the file:
file_system.go: wheresystemis the targeted system (e.g.file_windows.go) that contains the code specific to the target system. It must also contain the adequate go build constraint.file_dummy.go: contains the code for every other system. It generally does nothing and just ensures that the code compiles on that system;
- Because of the way our internal automation works, we generally require unit
tests to be defined for every platform and be filtered out dynamically if
not compatible. In other words, a test should be filtered in/out using
if runtime.GOOSrather than a//go:buildconstraint. Here is an example.
Custom logging
You can make the SCALIBR library log using your own custom logger by passing an implementation of the log.Logger interface to log.SetLogger():
import (
customlog "path/to/custom/log"
"github.com/google/osv-scalibr/log"
scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{ScanRoot: "/"}
log.SetLogger(&customlog.Logger{})
results := scalibr.New().Scan(context.Background(), cfg)
log.Info(results)
Contributing
Read how to contribute to SCALIBR.
To build and test your local changes, run make and make test. A local scalibr binary will be generated in the repo base.
Some of your code contributions might require regenerating protos. This can happen when, say, you want to contribute a new inventory type. For such cases, you'll need install a few dependencies
protoc: Install the appropriate precompiled protoc binary.- For Mac, you can also install via HomeBrew.
protoc-gen-go: Rungo install google.golang.org/protobuf/cmd/protoc-gen-go
and then run make protos or ./build_protos.sh.
Disclaimers
SCALIBR is not an official Google product.
Documentation
¶
Overview ¶
Package scalibr provides an interface for running software inventory extraction and security finding detection on a machine.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CmpInventories ¶ added in v0.1.4
CmpInventories is a comparison helper fun to be used for sorting Inventory structs.
Types ¶
type ScanConfig ¶
type ScanConfig struct {
FilesystemExtractors []filesystem.Extractor
StandaloneExtractors []standalone.Extractor
Detectors []detector.Detector
// Capabilities that the scanning environment satisfies, e.g. whether there's
// network access. Some plugins can only run if certain requirements are met.
Capabilities *plugin.Capabilities
// ScanRoots contain the list of root dir used by file walking during extraction.
// All extractors and detectors will assume files are relative to these dirs.
// Example use case: Scanning a container image or source code repo that is
// mounted to a local dir.
ScanRoots []*scalibrfs.ScanRoot
// Optional: Individual files to extract inventory from. If specified, the
// extractors will only look at these files during the filesystem traversal.
// Note that on real filesystems these are not relative to the ScanRoots and
// thus need to be in sub-directories of one of the ScanRoots.
FilesToExtract []string
// Optional: Directories that the file system walk should ignore.
// Note that on real filesystems these are not relative to the ScanRoots and
// thus need to be in sub-directories of one of the ScanRoots.
// TODO(b/279413691): Also skip local paths, e.g. "Skip all .git dirs"
DirsToSkip []string
// Optional: If the regex matches a directory, it will be skipped.
SkipDirRegex *regexp.Regexp
// Optional: If the glob matches a directory, it will be skipped.
SkipDirGlob glob.Glob
// Optional: stats allows to enter a metric hook. If left nil, no metrics will be recorded.
Stats stats.Collector
// Optional: Whether to read symlinks.
ReadSymlinks bool
// Optional: Limit for visited inodes. If 0, no limit is applied.
MaxInodes int
// Optional: By default, inventories stores a path relative to the scan root. If StoreAbsolutePath
// is set, the absolute path is stored instead.
StoreAbsolutePath bool
// Optional: If true, print a detailed analysis of the duration of each extractor.
PrintDurationAnalysis bool
// Optional: If true, fail the scan if any permission errors are encountered.
ErrorOnFSErrors bool
}
ScanConfig stores the config settings of a scan run such as the plugins to use and the dir to consider the root of the scanned system.
func (*ScanConfig) EnableRequiredExtractors ¶ added in v0.1.1
func (cfg *ScanConfig) EnableRequiredExtractors() error
EnableRequiredExtractors adds those extractors to the config that are required by enabled detectors but have not been explicitly enabled.
func (*ScanConfig) ValidatePluginRequirements ¶ added in v0.1.3
func (cfg *ScanConfig) ValidatePluginRequirements() error
ValidatePluginRequirements checks that the scanning environment's capabilities satisfy the requirements of all enabled plugin.
type ScanResult ¶
type ScanResult struct {
Version string
StartTime time.Time
EndTime time.Time
// Status of the overall scan.
Status *plugin.ScanStatus
// Status and versions of the inventory+vuln plugins that ran.
PluginStatus []*plugin.Status
Inventories []*extractor.Inventory
Findings []*detector.Finding
}
ScanResult stores the software inventory and security findings that a scan run found.
type Scanner ¶
type Scanner struct{}
Scanner is the main entry point of the scanner.
func (Scanner) Scan ¶
func (Scanner) Scan(ctx context.Context, config *ScanConfig) (sr *ScanResult)
Scan executes the extraction and detection using the provided scan config.
func (Scanner) ScanContainer ¶ added in v0.1.6
func (s Scanner) ScanContainer(ctx context.Context, img *image.Image, config *ScanConfig) (sr *ScanResult, err error)
ScanContainer scans the provided container image for inventory and security findings using the provided scan config. It populates the LayerDetails field of the inventory with the origin layer details. Functions to create an Image from a tarball, remote name, or v1.Image are available in the artifact/image/layerscanning/image package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
artifact
|
|
|
image
Package image provides functionality to scan a container image by layers for software inventory.
|
Package image provides functionality to scan a container image by layers for software inventory. |
|
image/layerscanning/image
Package image provides functionality to scan a container image by layers for software inventory.
|
Package image provides functionality to scan a container image by layers for software inventory. |
|
image/layerscanning/testing/fakechainlayer
Package fakechainlayer provides a fake implementation of the image.ChainLayer and scalibrfs.FS interface for testing purposes.
|
Package fakechainlayer provides a fake implementation of the image.ChainLayer and scalibrfs.FS interface for testing purposes. |
|
image/layerscanning/testing/fakelayer
Package fakelayer provides a fake implementation of the image.Layer interface for testing purposes.
|
Package fakelayer provides a fake implementation of the image.Layer interface for testing purposes. |
|
image/layerscanning/testing/fakev1layer
Package fakev1layer provides a fake implementation of the v1.Layer interface for testing purposes.
|
Package fakev1layer provides a fake implementation of the v1.Layer interface for testing purposes. |
|
image/layerscanning/trace
Package trace provides functionality to trace the origin of an inventory in a container image.
|
Package trace provides functionality to trace the origin of an inventory in a container image. |
|
image/pathtree
Package pathtree provides a tree structure for representing file paths.
|
Package pathtree provides a tree structure for representing file paths. |
|
image/require
Package require provides an interface for specifying which files we are interested in during a container image extraction.
|
Package require provides an interface for specifying which files we are interested in during a container image extraction. |
|
image/symlink
Package symlink provides symlink-related util functions for container extraction.
|
Package symlink provides symlink-related util functions for container extraction. |
|
image/tar
Package tar provides functionality for saving a container image to a tarball.
|
Package tar provides functionality for saving a container image to a tarball. |
|
image/unpack
Package unpack contains functions to unpack an image.
|
Package unpack contains functions to unpack an image. |
|
image/whiteout
Package whiteout defines and implements whiteout related functions to be used in the layer scanning methods and functions.
|
Package whiteout defines and implements whiteout related functions to be used in the layer scanning methods and functions. |
|
binary
|
|
|
cdx
Package cdx provides utilities for writing CycloneDX documents to the filesystem.
|
Package cdx provides utilities for writing CycloneDX documents to the filesystem. |
|
cli
Package cli defines the structures to store the CLI flags used by the scanner binary.
|
Package cli defines the structures to store the CLI flags used by the scanner binary. |
|
platform
Package platform provides platform-specific functionality.
|
Package platform provides platform-specific functionality. |
|
proto
Package proto provides protobuf related utilities for the SCALIBR binary.
|
Package proto provides protobuf related utilities for the SCALIBR binary. |
|
scalibr
The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem.
|
The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem. |
|
scanrunner
Package scanrunner provides the main function for running a scan with the SCALIBR binary.
|
Package scanrunner provides the main function for running a scan with the SCALIBR binary. |
|
spdx
Package spdx provides utilities for writing SPDX documents to the filesystem.
|
Package spdx provides utilities for writing SPDX documents to the filesystem. |
|
common
|
|
|
windows/registry
Package registry provides an interface to abstract the Windows registry libraries away.
|
Package registry provides an interface to abstract the Windows registry libraries away. |
|
Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats.
|
Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats. |
|
Package detector provides the interface for security-related detection plugins.
|
Package detector provides the interface for security-related detection plugins. |
|
cis/generic_linux/etcpasswdpermissions
Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check.
|
Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check. |
|
cve/cve202011978
Package cve202011978 implements a detector for CVE-2020-11978.
|
Package cve202011978 implements a detector for CVE-2020-11978. |
|
cve/cve202016846
Package cve202016846 implements a detector for CVE-2020-16846.
|
Package cve202016846 implements a detector for CVE-2020-16846. |
|
cve/cve202233891
Package cve202233891 implements a detector for CVE-2022-33891.
|
Package cve202233891 implements a detector for CVE-2022-33891. |
|
cve/cve202338408
Package cve202338408 implements a detector for CVE-2023-38408.
|
Package cve202338408 implements a detector for CVE-2023-38408. |
|
cve/cve202338408/semantic
Package semantic provides version comparison.
|
Package semantic provides version comparison. |
|
cve/cve20236019
Package cve20236019 implements a SCALIBR Detector for CVE-2023-6019 To test, install a vulnerable Ray version: python3 -m pip install ray==2.6.3 Start the Ray dashboard: python3 -c "import ray; context = ray.init(); print(context)" Run the detector
|
Package cve20236019 implements a SCALIBR Detector for CVE-2023-6019 To test, install a vulnerable Ray version: python3 -m pip install ray==2.6.3 Start the Ray dashboard: python3 -c "import ray; context = ray.init(); print(context)" Run the detector |
|
cve/cve20242912
Package cve20242912 implements a detector for CVE-2024-2912.
|
Package cve20242912 implements a detector for CVE-2024-2912. |
|
govulncheck/binary
Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem.
|
Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem. |
|
list
Package list provides a public list of SCALIBR-internal detection plugins.
|
Package list provides a public list of SCALIBR-internal detection plugins. |
|
weakcredentials/etcshadow
Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow.
|
Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow. |
|
weakcredentials/filebrowser
Package filebrowser implements a detector for weak/guessable passwords on a filebrowser instance.
|
Package filebrowser implements a detector for weak/guessable passwords on a filebrowser instance. |
|
weakcredentials/winlocal/samreg
Package samreg provides a wrapper around the SAM registry.
|
Package samreg provides a wrapper around the SAM registry. |
|
weakcredentials/winlocal/systemreg
Package systemreg provides a wrapper around the SYSTEM registry.
|
Package systemreg provides a wrapper around the SYSTEM registry. |
|
Package extractor provides the common interface for standalone and filesystem extractors.
|
Package extractor provides the common interface for standalone and filesystem extractors. |
|
filesystem
Package filesystem provides the interface for inventory extraction plugins.
|
Package filesystem provides the interface for inventory extraction plugins. |
|
filesystem/containers/containerd
Package containerd extracts container inventory from containerd metadb database.
|
Package containerd extracts container inventory from containerd metadb database. |
|
filesystem/internal
Package internal contains miscellaneous functions and objects useful within Scalibr
|
Package internal contains miscellaneous functions and objects useful within Scalibr |
|
filesystem/internal/units
Package units provides constants for common units.
|
Package units provides constants for common units. |
|
filesystem/language/cpp/conanlock
Package conanlock extracts conan.lock files.
|
Package conanlock extracts conan.lock files. |
|
filesystem/language/dart/pubspec
Package pubspec extracts Dart pubspec.lock files.
|
Package pubspec extracts Dart pubspec.lock files. |
|
filesystem/language/dotnet/depsjson
Package depsjson extracts packages from .NET deps.json files.
|
Package depsjson extracts packages from .NET deps.json files. |
|
filesystem/language/dotnet/packageslockjson
Package packageslockjson extracts packages.lock.json files.
|
Package packageslockjson extracts packages.lock.json files. |
|
filesystem/language/elixir/mixlock
Package mixlock extracts elixir mix.lock files.
|
Package mixlock extracts elixir mix.lock files. |
|
filesystem/language/erlang/mixlock
Package mixlock extracts erlang mix.lock files.
|
Package mixlock extracts erlang mix.lock files. |
|
filesystem/language/erlang/mixlock/mixlockutils
Package mixlockutils provides common functions for parsing Mix.lock lockfiles.
|
Package mixlockutils provides common functions for parsing Mix.lock lockfiles. |
|
filesystem/language/golang/gobinary
Package gobinary extracts packages from buildinfo inside go binaries files.
|
Package gobinary extracts packages from buildinfo inside go binaries files. |
|
filesystem/language/golang/gomod
Package gomod extracts go.mod files.
|
Package gomod extracts go.mod files. |
|
filesystem/language/haskell/cabal
Package cabal extracts cabal.project.freeze files from haskell projects.
|
Package cabal extracts cabal.project.freeze files from haskell projects. |
|
filesystem/language/haskell/stacklock
Package stacklock extracts stack.yaml.lock files from haskell projects.
|
Package stacklock extracts stack.yaml.lock files from haskell projects. |
|
filesystem/language/java/archive
Package archive extracts Java archive files.
|
Package archive extracts Java archive files. |
|
filesystem/language/java/gradlelockfile
Package gradlelockfile extracts pom.xml files.
|
Package gradlelockfile extracts pom.xml files. |
|
filesystem/language/java/gradleverificationmetadataxml
Package gradleverificationmetadataxml extracts Gradle files.
|
Package gradleverificationmetadataxml extracts Gradle files. |
|
filesystem/language/java/groupid
Package groupid provides functionality for retrieving the group ID of a Java package.
|
Package groupid provides functionality for retrieving the group ID of a Java package. |
|
filesystem/language/java/javalockfile
Package javalockfile provides shared structures for Java extractors.
|
Package javalockfile provides shared structures for Java extractors. |
|
filesystem/language/java/pomxml
Package pomxml extracts pom.xml files.
|
Package pomxml extracts pom.xml files. |
|
filesystem/language/java/pomxmlnet
Package pomxmlnet extracts Maven's pom.xml format with transitive dependency resolution.
|
Package pomxmlnet extracts Maven's pom.xml format with transitive dependency resolution. |
|
filesystem/language/javascript/bunlock
Package bunlock extracts bun.lock files
|
Package bunlock extracts bun.lock files |
|
filesystem/language/javascript/internal/commitextractor
Package commitextractor provides a function to extract commit hash from the full git URL
|
Package commitextractor provides a function to extract commit hash from the full git URL |
|
filesystem/language/javascript/packagejson
Package packagejson extracts package.json files.
|
Package packagejson extracts package.json files. |
|
filesystem/language/javascript/packagelockjson
Package packagelockjson extracts package-lock.json files.
|
Package packagelockjson extracts package-lock.json files. |
|
filesystem/language/javascript/pnpmlock
Package pnpmlock extracts pnpm-lock.yaml files.
|
Package pnpmlock extracts pnpm-lock.yaml files. |
|
filesystem/language/javascript/yarnlock
Package yarnlock extracts NPC yarn.lock files.
|
Package yarnlock extracts NPC yarn.lock files. |
|
filesystem/language/php/composerlock
Package composerlock extracts composer.lock files.
|
Package composerlock extracts composer.lock files. |
|
filesystem/language/python/condameta
Package condameta extracts Conda package metadata from conda-meta JSON files.
|
Package condameta extracts Conda package metadata from conda-meta JSON files. |
|
filesystem/language/python/internal/pypipurl
Package pypipurl converts an inventory to a PyPI type PackageURL.
|
Package pypipurl converts an inventory to a PyPI type PackageURL. |
|
filesystem/language/python/pdmlock
Package pdmlock extracts pdm.lock files.
|
Package pdmlock extracts pdm.lock files. |
|
filesystem/language/python/pipfilelock
Package pipfilelock extracts Pipfile.lock files.
|
Package pipfilelock extracts Pipfile.lock files. |
|
filesystem/language/python/poetrylock
Package poetrylock extracts poetry.lock files.
|
Package poetrylock extracts poetry.lock files. |
|
filesystem/language/python/requirements
Package requirements extracts requirements files.
|
Package requirements extracts requirements files. |
|
filesystem/language/python/uvlock
Package uvlock extracts uv.lock files.
|
Package uvlock extracts uv.lock files. |
|
filesystem/language/python/wheelegg
Package wheelegg extracts wheel and egg files.
|
Package wheelegg extracts wheel and egg files. |
|
filesystem/language/r/renvlock
Package renvlock extracts renv.lock files.
|
Package renvlock extracts renv.lock files. |
|
filesystem/language/ruby/gemfilelock
Package gemfilelock extracts Gemfile.lock files.
|
Package gemfilelock extracts Gemfile.lock files. |
|
filesystem/language/ruby/gemspec
Package gemspec extracts *.gemspec files.
|
Package gemspec extracts *.gemspec files. |
|
filesystem/language/rust/cargoauditable
Package cargoauditable extracts dependencies from cargo auditable inside rust binaries.
|
Package cargoauditable extracts dependencies from cargo auditable inside rust binaries. |
|
filesystem/language/rust/cargolock
Package cargolock extracts Cargo.lock files for rust projects
|
Package cargolock extracts Cargo.lock files for rust projects |
|
filesystem/language/swift/packageresolved
Package resolved extracts Package.resolved files
|
Package resolved extracts Package.resolved files |
|
filesystem/language/swift/podfilelock
Package podfilelock extracts dependencies from Podfile.lock files.
|
Package podfilelock extracts dependencies from Podfile.lock files. |
|
filesystem/language/swift/swiftutils
Package swiftutils provides utilities for parsing Swift podfiles.
|
Package swiftutils provides utilities for parsing Swift podfiles. |
|
filesystem/list
Package list provides a public list of SCALIBR-internal extraction plugins.
|
Package list provides a public list of SCALIBR-internal extraction plugins. |
|
filesystem/os/apk
Package apk extracts packages from the APK database.
|
Package apk extracts packages from the APK database. |
|
filesystem/os/cos
Package cos extracts OS packages from Container Optimized OSes (go/cos).
|
Package cos extracts OS packages from Container Optimized OSes (go/cos). |
|
filesystem/os/dpkg
Package dpkg extracts packages from dpkg database.
|
Package dpkg extracts packages from dpkg database. |
|
filesystem/os/flatpak
Package flatpak extracts packages from flatpak metainfo files.
|
Package flatpak extracts packages from flatpak metainfo files. |
|
filesystem/os/homebrew
Package homebrew extracts package information from OSX homebrew INSTALL_RECEIPT.json files.
|
Package homebrew extracts package information from OSX homebrew INSTALL_RECEIPT.json files. |
|
filesystem/os/kernel/module
Package module extracts .ko files from kernel modules.
|
Package module extracts .ko files from kernel modules. |
|
filesystem/os/kernel/vmlinuz
Package vmlinuz extracts information about vmlinuz compressed kernel images.
|
Package vmlinuz extracts information about vmlinuz compressed kernel images. |
|
filesystem/os/macapps
Package macapps extracts applications data from Info.plist files of OS X devices.
|
Package macapps extracts applications data from Info.plist files of OS X devices. |
|
filesystem/os/nix
Package nix extracts packages from the Nix store directory.
|
Package nix extracts packages from the Nix store directory. |
|
filesystem/os/osrelease
Package osrelease parses the os-release file.
|
Package osrelease parses the os-release file. |
|
filesystem/os/pacman
Package pacman extracts packages from archlinux desc file.
|
Package pacman extracts packages from archlinux desc file. |
|
filesystem/os/portage
Package portage extracts packages from portage database.
|
Package portage extracts packages from portage database. |
|
filesystem/os/rpm
Package rpm extracts packages from rpm database.
|
Package rpm extracts packages from rpm database. |
|
filesystem/os/snap
Package snap extracts snap packages
|
Package snap extracts snap packages |
|
filesystem/sbom/cdx
Package cdx extracts software dependencies from an CycloneDX SBOM.
|
Package cdx extracts software dependencies from an CycloneDX SBOM. |
|
filesystem/sbom/spdx
Package spdx extracts software dependencies from an SPDX SBOM.
|
Package spdx extracts software dependencies from an SPDX SBOM. |
|
filesystem/simplefileapi
Package simplefileapi provides a fake implementation of the filesystem.FileAPI interface.
|
Package simplefileapi provides a fake implementation of the filesystem.FileAPI interface. |
|
standalone
Package standalone provides a way to extract in a standalone mode (e.g.
|
Package standalone provides a way to extract in a standalone mode (e.g. |
|
standalone/containers/containerd
Package containerd extracts container inventory from containerd API.
|
Package containerd extracts container inventory from containerd API. |
|
standalone/containers/containerd/fakeclient
Package fakeclient contains a fake implementation of the containerd client for testing purposes.
|
Package fakeclient contains a fake implementation of the containerd client for testing purposes. |
|
standalone/list
Package list contains the list of all standalone extractors.
|
Package list contains the list of all standalone extractors. |
|
standalone/windows/common/metadata
Package metadata provides metadata structures to annotate Windows inventories.
|
Package metadata provides metadata structures to annotate Windows inventories. |
|
standalone/windows/common/winproducts
Package winproducts contains information about Windows products.
|
Package winproducts contains information about Windows products. |
|
standalone/windows/dismpatch/dismparser
Package dismparser has methods that can be used to parse DISM output
|
Package dismparser has methods that can be used to parse DISM output |
|
Package fs provides a virtual filesystem interface for SCALIBR scans and related helper functions.
|
Package fs provides a virtual filesystem interface for SCALIBR scans and related helper functions. |
|
internal
|
|
|
datasource
Package datasource provides clients to fetch data from different APIs.
|
Package datasource provides clients to fetch data from different APIs. |
|
mavenutil
Package mavenutil provides utilities for merging Maven pom/xml.
|
Package mavenutil provides utilities for merging Maven pom/xml. |
|
resolution/client
Package client provides clients required by dependency resolution.
|
Package client provides clients required by dependency resolution. |
|
resolution/clienttest
Package clienttest provides mock servers for testing.
|
Package clienttest provides mock servers for testing. |
|
Package inventoryindex is a wrapper around the collected inventory, which provides methods for fast lookup of identified software.
|
Package inventoryindex is a wrapper around the collected inventory, which provides methods for fast lookup of identified software. |
|
Package log defines SCALIBR's logger interface.
|
Package log defines SCALIBR's logger interface. |
|
Package plugin collects the common code used by extractor and detector plugins.
|
Package plugin collects the common code used by extractor and detector plugins. |
|
Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation.
|
Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation. |
|
Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr.
|
Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr. |
|
testing
|
|
|
extracttest
Package extracttest provides structures to help create tabular tests for extractors.
|
Package extracttest provides structures to help create tabular tests for extractors. |
|
fakedetector
Package fakedetector provides a Detector implementation to be used in tests.
|
Package fakedetector provides a Detector implementation to be used in tests. |
|
fakeextractor
Package fakeextractor provides a Extractor implementation to be used in tests.
|
Package fakeextractor provides a Extractor implementation to be used in tests. |
|
fakefs
Package fakefs provides a fake file system implementation for testing.
|
Package fakefs provides a fake file system implementation for testing. |
|
mockregistry
Package mockregistry provides a mock implementation of the registry.Registry interface.
|
Package mockregistry provides a mock implementation of the registry.Registry interface. |
|
testcollector
Package testcollector provides an implementation of stats.Collector that stores recorded metrics for verification in tests.
|
Package testcollector provides an implementation of stats.Collector that stores recorded metrics for verification in tests. |
Click to show internal directories.
Click to hide internal directories.