README
¶
OSV-SCALIBR
OSV-SCALIBR (Software Composition Analysis Library) is an extensible library providing:
- File system scanner used to extract software inventory data (e.g. installed language packages) and detect known vulnerabilities or generate SBOMs. See the list of currently supported software inventory types.
- Container analysis functionality (e.g. layer-based extraction)
- Guided Remediation (generating upgrade patches for transitive vulnerabilities)
- And more!
This can be used as a library with a custom wrapper to perform scans on e.g. container images or remote hosts, or via the OSV-Scanner CLI. It comes with built-in plugins for inventory extraction and vulnerability detection and it also allows users to run their custom plugins.
Prerequisites
To build OSV-SCALIBR, you'll need to have go installed. Follow
https://go.dev/doc/install.
How to use
Via the OSV-Scanner CLI
If your use case is known vulnerability scanning and extraction in a CLI context, check out the OSV-Scanner usage guide.
Note: Not all OSV-SCALIBR functionality is available via OSV-Scanner yet. Check out this issue for the current status.
Via the OSV-SCALIBR wrapper binary
go install github.com/google/osv-scalibr/binary/scalibr@latestscalibr --result=result.textproto
See the result proto definition for details about the scan result format.
Run scalibr --help for a list of additional CLI args.
As a library:
- Import
github.com/google/osv-scalibrinto your Go project - Create a new scalibr.ScanConfig struct, configure the extraction and detection plugins to run
- Call
scalibr.New().Scan()with the config - Parse the returned scalibr.ScanResults
See below for an example code snippet.
On a container image
Add the --remote-image flag to scan a remote container image. Example:
scalibr --result=result.textproto --remote-image=alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
Or the --image-tarball flag to scan a locally saved image tarball like ones
produced with docker save my-image > my-image.tar. Example:
scalibr --result=result.textproto --image-tarball=my-image.tar
SPDX generation
OSV-SCALIBR supports generating the result of inventory extraction as an SPDX v2.3 file in json, yaml or tag-value format. Example usage:
scalibr -o spdx23-json=result.spdx.json
Some fields in the generated SPDX can be overwritten:
scalibr -spdx-document-name="Custom name" --spdx-document-namespace="Custom-namespace" --spdx-creators=Organization:Google -o spdx23-json=result.spdx.json
Running built-in plugins
With the standalone binary
The binary runs SCALIBR's "recommended" internal plugins by default. You can
enable more plugins with the --plugins= flags. See the
definition files for a list of all built-in plugins and their CLI flags
(extractors (fs),
extractors (standalone),
detectors,
annotators,
enrichers).
With the library
A collection of all built-in plugin modules can be found in the definition files (extractors (fs), extractors (standalone), detectors, annotators, enrichers). To enable them, just import plugins/list and add the appropriate plugin names to the scan config, e.g.
import (
"context"
scalibr "github.com/google/osv-scalibr"
pl "github.com/google/osv-scalibr/plugins/list"
scalibrfs "github.com/google/osv-scalibr/fs"
)
plugins, _ := pl.FromNames([]string{"os", "cis", "vex"})
cfg := &scalibr.ScanConfig{
ScanRoots: scalibrfs.RealFSScanRoots("/"),
Plugins: plugins,
}
results := scalibr.New().Scan(context.Background(), cfg)
You can also specify your scanning host's capabilities to only enable plugins whose requirements are satisfied (e.g. network access, OS-specific plugins):
import (
...
"github.com/google/osv-scalibr/plugin"
)
capab := &plugin.Capabilities{
OS: plugin.OSLinux,
Network: plugin.NetworkOnline,
DirectFS: true,
RunningSystem: true,
}
...
cfg := &scalibr.ScanConfig{
ScanRoots: scalibrfs.RealFSScanRoots("/"),
Plugins: plugin.FilterByCapabilities(plugins, capab),
}
...
Creating + running custom plugins
Custom plugins can only be run when using OSV-SCALIBR as a library.
- Create an implementation of the OSV-SCALIBR Extractor or Detector interface.
- Add the newly created struct to the scan config and run the scan, e.g.
import (
"github.com/google/osv-scalibr/plugin"
scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{
Root: "/",
Plugins: []plugin.Plugin{&myExtractor{}},
}
results := scalibr.New().Scan(context.Background(), cfg)
A note on cross-platform
OSV-SCALIBR is compatible with Linux and has experimental support for Windows and Mac. When a new plugin is implemented for OSV-SCALIBR, we need to ensure that it will not break other platforms. Our runners will generally catch compatibility issues, but to ensure everything is easy when implementing a plugin, here are a few recommendations to keep in mind:
- Ensure you work with file paths using the
filepathlibrary. For example, avoid using/my/pathbut preferfilepath.Join('my', 'path')instead. - If the plugin can only support one system (e.g. a windows-specific
detector), the layout will generally be to have two versions of the file:
file_system.go: wheresystemis the targeted system (e.g.file_windows.go) that contains the code specific to the target system. It must also contain the adequate go build constraint.file_dummy.go: contains the code for every other system. It generally does nothing and just ensures that the code compiles on that system;
- Because of the way our internal automation works, we generally require unit
tests to be defined for every platform and be filtered out dynamically if
not compatible. In other words, a test should be filtered in/out using
if runtime.GOOSrather than a//go:buildconstraint. Here is an example.
Custom logging
You can make the OSV-SCALIBR library log using your own custom logger by passing
an implementation of the log.Logger interface to
log.SetLogger():
import (
customlog "path/to/custom/log"
"github.com/google/osv-scalibr/log"
scalibr "github.com/google/osv-scalibr"
)
cfg := &scalibr.ScanConfig{ScanRoot: "/"}
log.SetLogger(&customlog.Logger{})
results := scalibr.New().Scan(context.Background(), cfg)
log.Info(results)
Contributing
Read how to contribute to OSV-SCALIBR.
To build and test your local changes, run make and make test. A local
scalibr binary will be generated in the repo base.
Some of your code contributions might require regenerating protos. This can happen when, say, you want to contribute a new inventory type. For such cases, you'll need to install a few dependencies:
protoc: Install the appropriate precompiled protoc binary.- For Mac, you can also install via HomeBrew.
protoc-gen-go: Rungo install google.golang.org/protobuf/cmd/protoc-gen-go
and then run make protos or ./build_protos.sh.
Disclaimers
OSV-SCALIBR is not an official Google product.
Documentation
¶
Overview ¶
Package scalibr provides an interface for running software inventory extraction and security finding detection on a machine.
Index ¶
Constants ¶
View Source
const ScannerVersion = "0.3.1"
ScannerVersion is the current version of the scanner that's displayed in the scan results.
Variables ¶
This section is empty.
Functions ¶
func CmpPackages ¶ added in v0.2.0
CmpPackages is a comparison helper fun to be used for sorting Package structs.
Types ¶
type ScanConfig ¶
type ScanConfig struct {
Plugins []plugin.Plugin
// Capabilities that the scanning environment satisfies, e.g. whether there's
// network access. Some plugins can only run if certain requirements are met.
Capabilities *plugin.Capabilities
// ScanRoots contain the list of root dir used by file walking during extraction.
// All extractors and detectors will assume files are relative to these dirs.
// Example use case: Scanning a container image or source code repo that is
// mounted to a local dir.
ScanRoots []*scalibrfs.ScanRoot
// Optional: Individual file or dir paths to extract inventory from. If specified,
// the extractors will only look at the specified files or at the contents of the
// specified directories during the filesystem traversal.
// Note that on real filesystems these are not relative to the ScanRoots and
// thus need to be in sub-directories of one of the ScanRoots.
PathsToExtract []string
// Optional: If true, only the files in the top-level directories in PathsToExtract are
// extracted and sub-directories are ignored.
IgnoreSubDirs bool
// Optional: Directories that the file system walk should ignore.
// Note that on real filesystems these are not relative to the ScanRoots and
// thus need to be in sub-directories of one of the ScanRoots.
// TODO(b/279413691): Also skip local paths, e.g. "Skip all .git dirs"
DirsToSkip []string
// Optional: If the regex matches a directory, it will be skipped.
SkipDirRegex *regexp.Regexp
// Optional: If the glob matches a directory, it will be skipped.
SkipDirGlob glob.Glob
// Optional: Files larger than this size in bytes are skipped. If 0, no limit is applied.
MaxFileSize int
// Optional: Skip files declared in .gitignore files in source repos.
UseGitignore bool
// Optional: stats allows to enter a metric hook. If left nil, no metrics will be recorded.
Stats stats.Collector
// Optional: Whether to read symlinks.
ReadSymlinks bool
// Optional: Limit for visited inodes. If 0, no limit is applied.
MaxInodes int
// Optional: By default, inventories stores a path relative to the scan root. If StoreAbsolutePath
// is set, the absolute path is stored instead.
StoreAbsolutePath bool
// Optional: If true, print a detailed analysis of the duration of each extractor.
PrintDurationAnalysis bool
// Optional: If true, fail the scan if any permission errors are encountered.
ErrorOnFSErrors bool
}
ScanConfig stores the config settings of a scan run such as the plugins to use and the dir to consider the root of the scanned system.
func (*ScanConfig) EnableRequiredPlugins ¶ added in v0.3.1
func (cfg *ScanConfig) EnableRequiredPlugins() error
EnableRequiredPlugins adds those plugins to the config that are required by enabled plugins (such as Detectors or Enrichers) but have not been explicitly enabled.
func (*ScanConfig) ValidatePluginRequirements ¶ added in v0.1.3
func (cfg *ScanConfig) ValidatePluginRequirements() error
ValidatePluginRequirements checks that the scanning environment's capabilities satisfy the requirements of all enabled plugin.
type ScanResult ¶
type ScanResult = result.ScanResult
ScanResult stores the results of a scan incl. scan status and inventory found. TODO: b/425645186 - Remove this alias once all callers are migrated to the result package.
type Scanner ¶
type Scanner struct{}
Scanner is the main entry point of the scanner.
func (Scanner) Scan ¶
func (Scanner) Scan(ctx context.Context, config *ScanConfig) (sr *ScanResult)
Scan executes the extraction/detection/annotation/etc. plugins using the provided scan config.
func (Scanner) ScanContainer ¶ added in v0.1.6
func (s Scanner) ScanContainer(ctx context.Context, img *image.Image, config *ScanConfig) (sr *ScanResult, err error)
ScanContainer scans the provided container image for packages and security findings using the provided scan config. It populates the LayerDetails field of the packages with the origin layer details. Functions to create an Image from a tarball, remote name, or v1.Image are available in the artifact/image/layerscanning/image package.
Directories
¶
| Path | Synopsis |
|---|---|
|
Package annotator provides the interface for annotation plugins.
|
Package annotator provides the interface for annotation plugins. |
|
cachedir
Package cachedir implements an annotator for packages that are in cache directories.
|
Package cachedir implements an annotator for packages that are in cache directories. |
|
ffa/unknownbinariesanno
Package unknownbinariesanno removes all packages extracted by unknown binaries filters out the known binaries, and records the remaining as a finding.
|
Package unknownbinariesanno removes all packages extracted by unknown binaries filters out the known binaries, and records the remaining as a finding. |
|
ffa/unknownbinariesanno/internal/dpkgfilter
Package dpkgfilter filters out binaries that are part of a dpkg package
|
Package dpkgfilter filters out binaries that are part of a dpkg package |
|
ffa/unknownbinariesanno/internal/filter
Package filter defines the interface to implement a unknown binary filter.
|
Package filter defines the interface to implement a unknown binary filter. |
|
list
Package list provides a list of annotation plugins.
|
Package list provides a list of annotation plugins. |
|
osduplicate
Package osduplicate implements utility functions for identifying inventory duplicates found in OS packages.
|
Package osduplicate implements utility functions for identifying inventory duplicates found in OS packages. |
|
osduplicate/apk
Package apk implements an annotator for language packages that have already been found in APK OS packages.
|
Package apk implements an annotator for language packages that have already been found in APK OS packages. |
|
osduplicate/cos
Package cos implements an annotator for language packages that have already been found in COS OS packages.
|
Package cos implements an annotator for language packages that have already been found in COS OS packages. |
|
osduplicate/dpkg
Package dpkg implements an annotator for language packages that have already been found in DPKG OS packages.
|
Package dpkg implements an annotator for language packages that have already been found in DPKG OS packages. |
|
osduplicate/rpm
Package rpm implements an annotator for language packages that have already been found in RPM OS packages.
|
Package rpm implements an annotator for language packages that have already been found in RPM OS packages. |
|
artifact
|
|
|
image
Package image provides functionality to scan a container image by layers for software inventory.
|
Package image provides functionality to scan a container image by layers for software inventory. |
|
image/layerscanning/image
Package image provides functionality to scan a container image by layers for software inventory.
|
Package image provides functionality to scan a container image by layers for software inventory. |
|
image/layerscanning/testing/fakechainlayer
Package fakechainlayer provides a fake implementation of the image.ChainLayer and scalibrfs.FS interface for testing purposes.
|
Package fakechainlayer provides a fake implementation of the image.ChainLayer and scalibrfs.FS interface for testing purposes. |
|
image/layerscanning/testing/fakelayer
Package fakelayer provides a fake implementation of the image.Layer interface for testing purposes.
|
Package fakelayer provides a fake implementation of the image.Layer interface for testing purposes. |
|
image/layerscanning/testing/fakelayerbuilder
Package fakelayerbuilder uses a yaml file with custom syntax to build up fake layers for testing
|
Package fakelayerbuilder uses a yaml file with custom syntax to build up fake layers for testing |
|
image/layerscanning/testing/fakev1layer
Package fakev1layer provides a fake implementation of the v1.Layer interface for testing purposes.
|
Package fakev1layer provides a fake implementation of the v1.Layer interface for testing purposes. |
|
image/layerscanning/trace
Package trace provides functionality to trace the origin of an inventory in a container image.
|
Package trace provides functionality to trace the origin of an inventory in a container image. |
|
image/require
Package require provides an interface for specifying which files we are interested in during a container image extraction.
|
Package require provides an interface for specifying which files we are interested in during a container image extraction. |
|
image/symlink
Package symlink provides symlink-related util functions for container extraction.
|
Package symlink provides symlink-related util functions for container extraction. |
|
image/tar
Package tar provides functionality for saving a container image to a tarball.
|
Package tar provides functionality for saving a container image to a tarball. |
|
image/unpack
Package unpack contains functions to unpack an image.
|
Package unpack contains functions to unpack an image. |
|
image/whiteout
Package whiteout defines and implements whiteout related functions to be used in the layer scanning methods and functions.
|
Package whiteout defines and implements whiteout related functions to be used in the layer scanning methods and functions. |
|
binary
|
|
|
cdx
Package cdx provides utilities for writing CycloneDX documents to the filesystem.
|
Package cdx provides utilities for writing CycloneDX documents to the filesystem. |
|
cli
Package cli defines the structures to store the CLI flags used by the scanner binary.
|
Package cli defines the structures to store the CLI flags used by the scanner binary. |
|
platform
Package platform provides platform-specific functionality.
|
Package platform provides platform-specific functionality. |
|
proto
Package proto provides protobuf related utilities for the SCALIBR binary.
|
Package proto provides protobuf related utilities for the SCALIBR binary. |
|
scalibr
The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem.
|
The scalibr command wraps around the SCALIBR library to create a standalone CLI for extraction + detection with direct access to the local machine's filesystem. |
|
scanrunner
Package scanrunner provides the main function for running a scan with the SCALIBR binary.
|
Package scanrunner provides the main function for running a scan with the SCALIBR binary. |
|
spdx
Package spdx provides utilities for writing SPDX documents to the filesystem.
|
Package spdx provides utilities for writing SPDX documents to the filesystem. |
|
clients
|
|
|
clienttest
Package clienttest provides mock servers for testing.
|
Package clienttest provides mock servers for testing. |
|
datasource
Package datasource provides clients to fetch data from different APIs.
|
Package datasource provides clients to fetch data from different APIs. |
|
depsdev/v1alpha1/grpcclient
Package grpcclient provides a GRPC client for the deps.dev API.
|
Package grpcclient provides a GRPC client for the deps.dev API. |
|
internal/pypi
Package pypi defines the structures to parse PyPI JSON API response.
|
Package pypi defines the structures to parse PyPI JSON API response. |
|
resolution
Package resolution provides clients required by dependency resolution.
|
Package resolution provides clients required by dependency resolution. |
|
common
|
|
|
linux/proc
Package proc provides utilities to parse /proc files.
|
Package proc provides utilities to parse /proc files. |
|
windows/registry
Package registry provides an interface to abstract the Windows registry libraries away.
|
Package registry provides an interface to abstract the Windows registry libraries away. |
|
Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats.
|
Package converter provides utility functions for converting SCALIBR's scan results to standardized inventory formats. |
|
Package detector provides the interface for security-related detection plugins.
|
Package detector provides the interface for security-related detection plugins. |
|
cis/generic_linux/etcpasswdpermissions
Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check.
|
Package etcpasswdpermissions implements a detector for the "Ensure permissions on /etc/passwd- are configured" CIS check. |
|
cve/untested/cve202011978
Package cve202011978 implements a detector for CVE-2020-11978.
|
Package cve202011978 implements a detector for CVE-2020-11978. |
|
cve/untested/cve202016846
Package cve202016846 implements a detector for CVE-2020-16846.
|
Package cve202016846 implements a detector for CVE-2020-16846. |
|
cve/untested/cve202233891
Package cve202233891 implements a detector for CVE-2022-33891.
|
Package cve202233891 implements a detector for CVE-2022-33891. |
|
cve/untested/cve202338408
Package cve202338408 implements a detector for CVE-2023-38408.
|
Package cve202338408 implements a detector for CVE-2023-38408. |
|
cve/untested/cve20236019
Package cve20236019 implements a SCALIBR Detector for CVE-2023-6019 To test, install a vulnerable Ray version: python3 -m pip install ray==2.6.3 Start the Ray dashboard: python3 -c "import ray; context = ray.init(); print(context)" Run the detector
|
Package cve20236019 implements a SCALIBR Detector for CVE-2023-6019 To test, install a vulnerable Ray version: python3 -m pip install ray==2.6.3 Start the Ray dashboard: python3 -c "import ray; context = ray.init(); print(context)" Run the detector |
|
cve/untested/cve20242912
Package cve20242912 implements a detector for CVE-2024-2912.
|
Package cve20242912 implements a detector for CVE-2024-2912. |
|
detectorrunner
Package detectorrunner provides a Run function to help with running detectors
|
Package detectorrunner provides a Run function to help with running detectors |
|
govulncheck/binary
Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem.
|
Package binary implements a detector that uses govulncheck to scan for vulns on Go binaries found on the filesystem. |
|
list
Package list provides a public list of SCALIBR-internal detection plugins.
|
Package list provides a public list of SCALIBR-internal detection plugins. |
|
weakcredentials/codeserver
Package codeserver contains a detector for weak credentials in Code-Server https://github.com/coder/code-server/.
|
Package codeserver contains a detector for weak credentials in Code-Server https://github.com/coder/code-server/. |
|
weakcredentials/etcshadow
Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow.
|
Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow. |
|
weakcredentials/filebrowser
Package filebrowser implements a detector for weak/guessable passwords on a filebrowser instance.
|
Package filebrowser implements a detector for weak/guessable passwords on a filebrowser instance. |
|
weakcredentials/winlocal
Package winlocal implements a weak passwords detector for local accounts on Windows.
|
Package winlocal implements a weak passwords detector for local accounts on Windows. |
|
weakcredentials/winlocal/samreg
Package samreg provides a wrapper around the SAM registry.
|
Package samreg provides a wrapper around the SAM registry. |
|
weakcredentials/winlocal/systemreg
Package systemreg provides a wrapper around the SYSTEM registry.
|
Package systemreg provides a wrapper around the SYSTEM registry. |
|
Package enricher provides the interface for enrichment plugins.
|
Package enricher provides the interface for enrichment plugins. |
|
baseimage
Package baseimage enriches inventory layer details with potential base images from deps.dev.
|
Package baseimage enriches inventory layer details with potential base images from deps.dev. |
|
enricherlist
Package enricherlist provides methods to initialize enrichers from attributes like names or capabilities.
|
Package enricherlist provides methods to initialize enrichers from attributes like names or capabilities. |
|
java/javareach
Package javareach provides Java reachability function
|
Package javareach provides Java reachability function |
|
secrets
Package secrets contains an Enricher that uses Veles Validators to validate Secrets found by the Veles Extractor.
|
Package secrets contains an Enricher that uses Veles Validators to validate Secrets found by the Veles Extractor. |
|
vex/filter
Package filter defines an enricher that filters out vulns with VEX signals.
|
Package filter defines an enricher that filters out vulns with VEX signals. |
|
Package extractor provides the common interface for standalone and filesystem extractors.
|
Package extractor provides the common interface for standalone and filesystem extractors. |
|
filesystem
Package filesystem provides the interface for inventory extraction plugins.
|
Package filesystem provides the interface for inventory extraction plugins. |
|
filesystem/containers/containerd
Package containerd extracts container package from containerd metadb database.
|
Package containerd extracts container package from containerd metadb database. |
|
filesystem/containers/podman
Package podman extracts container inventory from podman database.
|
Package podman extracts container inventory from podman database. |
|
filesystem/ffa/unknownbinariesextr
Package unknownbinariesextr identifies binary files on the filesystem and adds them as packages.
|
Package unknownbinariesextr identifies binary files on the filesystem and adds them as packages. |
|
filesystem/internal
Package internal contains miscellaneous functions and objects useful within Scalibr
|
Package internal contains miscellaneous functions and objects useful within Scalibr |
|
filesystem/internal/units
Package units provides constants for common units.
|
Package units provides constants for common units. |
|
filesystem/language/cpp/conanlock
Package conanlock extracts conan.lock files.
|
Package conanlock extracts conan.lock files. |
|
filesystem/language/dart/pubspec
Package pubspec extracts Dart pubspec.lock files.
|
Package pubspec extracts Dart pubspec.lock files. |
|
filesystem/language/dotnet/depsjson
Package depsjson extracts packages from .NET deps.json files.
|
Package depsjson extracts packages from .NET deps.json files. |
|
filesystem/language/dotnet/dotnetpe
Package dotnetpe extracts packages from .NET PE files.
|
Package dotnetpe extracts packages from .NET PE files. |
|
filesystem/language/dotnet/packagesconfig
Package packagesconfig extracts packages from .NET packages.config files.
|
Package packagesconfig extracts packages from .NET packages.config files. |
|
filesystem/language/dotnet/packageslockjson
Package packageslockjson extracts packages.lock.json files.
|
Package packageslockjson extracts packages.lock.json files. |
|
filesystem/language/elixir/mixlock
Package mixlock extracts elixir mix.lock files.
|
Package mixlock extracts elixir mix.lock files. |
|
filesystem/language/erlang/mixlock
Package mixlock extracts erlang mix.lock files.
|
Package mixlock extracts erlang mix.lock files. |
|
filesystem/language/erlang/mixlock/mixlockutils
Package mixlockutils provides common functions for parsing Mix.lock lockfiles.
|
Package mixlockutils provides common functions for parsing Mix.lock lockfiles. |
|
filesystem/language/erlang/mixlock/purl
Package purl converts mixlock package details into a mixlock PackageURL.
|
Package purl converts mixlock package details into a mixlock PackageURL. |
|
filesystem/language/golang/gobinary
Package gobinary extracts packages from buildinfo inside go binaries files.
|
Package gobinary extracts packages from buildinfo inside go binaries files. |
|
filesystem/language/golang/gomod
Package gomod extracts go.mod files.
|
Package gomod extracts go.mod files. |
|
filesystem/language/golang/purl
Package purl converts Go package details into a Go PackageURL.
|
Package purl converts Go package details into a Go PackageURL. |
|
filesystem/language/haskell/cabal
Package cabal extracts cabal.project.freeze files from haskell projects.
|
Package cabal extracts cabal.project.freeze files from haskell projects. |
|
filesystem/language/haskell/stacklock
Package stacklock extracts stack.yaml.lock files from haskell projects.
|
Package stacklock extracts stack.yaml.lock files from haskell projects. |
|
filesystem/language/java/archive
Package archive extracts Java archive files.
|
Package archive extracts Java archive files. |
|
filesystem/language/java/archive/metadata
Package metadata defines a Metadata struct for Java archives.
|
Package metadata defines a Metadata struct for Java archives. |
|
filesystem/language/java/gradlelockfile
Package gradlelockfile extracts pom.xml files.
|
Package gradlelockfile extracts pom.xml files. |
|
filesystem/language/java/gradleverificationmetadataxml
Package gradleverificationmetadataxml extracts Gradle files.
|
Package gradleverificationmetadataxml extracts Gradle files. |
|
filesystem/language/java/groupid
Package groupid provides functionality for retrieving the group ID of a Java package.
|
Package groupid provides functionality for retrieving the group ID of a Java package. |
|
filesystem/language/java/javalockfile
Package javalockfile provides shared structures for Java extractors.
|
Package javalockfile provides shared structures for Java extractors. |
|
filesystem/language/java/pomxml
Package pomxml extracts pom.xml files.
|
Package pomxml extracts pom.xml files. |
|
filesystem/language/java/pomxmlnet
Package pomxmlnet extracts Maven's pom.xml format with transitive dependency resolution.
|
Package pomxmlnet extracts Maven's pom.xml format with transitive dependency resolution. |
|
filesystem/language/java/purl
Package purl converts a package to a Maven type PackageURL.
|
Package purl converts a package to a Maven type PackageURL. |
|
filesystem/language/javascript/bunlock
Package bunlock extracts bun.lock files
|
Package bunlock extracts bun.lock files |
|
filesystem/language/javascript/internal/commitextractor
Package commitextractor provides a function to extract commit hash from the full git URL
|
Package commitextractor provides a function to extract commit hash from the full git URL |
|
filesystem/language/javascript/packagejson
Package packagejson extracts package.json files.
|
Package packagejson extracts package.json files. |
|
filesystem/language/javascript/packagelockjson
Package packagelockjson extracts package-lock.json files.
|
Package packagelockjson extracts package-lock.json files. |
|
filesystem/language/javascript/pnpmlock
Package pnpmlock extracts pnpm-lock.yaml files.
|
Package pnpmlock extracts pnpm-lock.yaml files. |
|
filesystem/language/javascript/purl
Package purl converts NPM package details into an NPM PackageURL.
|
Package purl converts NPM package details into an NPM PackageURL. |
|
filesystem/language/javascript/yarnlock
Package yarnlock extracts NPC yarn.lock files.
|
Package yarnlock extracts NPC yarn.lock files. |
|
filesystem/language/php/composerlock
Package composerlock extracts composer.lock files.
|
Package composerlock extracts composer.lock files. |
|
filesystem/language/python/condameta
Package condameta extracts Conda package metadata from conda-meta JSON files.
|
Package condameta extracts Conda package metadata from conda-meta JSON files. |
|
filesystem/language/python/pdmlock
Package pdmlock extracts pdm.lock files.
|
Package pdmlock extracts pdm.lock files. |
|
filesystem/language/python/pipfilelock
Package pipfilelock extracts Pipfile.lock files.
|
Package pipfilelock extracts Pipfile.lock files. |
|
filesystem/language/python/poetrylock
Package poetrylock extracts poetry.lock files.
|
Package poetrylock extracts poetry.lock files. |
|
filesystem/language/python/pypipurl
Package pypipurl converts a package to a PyPI type PackageURL.
|
Package pypipurl converts a package to a PyPI type PackageURL. |
|
filesystem/language/python/requirements
Package requirements extracts requirements files.
|
Package requirements extracts requirements files. |
|
filesystem/language/python/requirementsnet
Package requirementsnet extracts requirements files with .
|
Package requirementsnet extracts requirements files with . |
|
filesystem/language/python/setup
Package setup extracts packages from setup.py.
|
Package setup extracts packages from setup.py. |
|
filesystem/language/python/uvlock
Package uvlock extracts uv.lock files.
|
Package uvlock extracts uv.lock files. |
|
filesystem/language/python/wheelegg
Package wheelegg extracts wheel and egg files.
|
Package wheelegg extracts wheel and egg files. |
|
filesystem/language/r/renvlock
Package renvlock extracts renv.lock files.
|
Package renvlock extracts renv.lock files. |
|
filesystem/language/ruby/gemfilelock
Package gemfilelock extracts Gemfile.lock files.
|
Package gemfilelock extracts Gemfile.lock files. |
|
filesystem/language/ruby/gemspec
Package gemspec extracts *.gemspec files.
|
Package gemspec extracts *.gemspec files. |
|
filesystem/language/rust/cargoauditable
Package cargoauditable extracts dependencies from cargo auditable inside rust binaries.
|
Package cargoauditable extracts dependencies from cargo auditable inside rust binaries. |
|
filesystem/language/rust/cargolock
Package cargolock extracts Cargo.lock files for rust projects
|
Package cargolock extracts Cargo.lock files for rust projects |
|
filesystem/language/rust/cargotoml
Package cargotoml extracts Cargo.toml files for rust projects
|
Package cargotoml extracts Cargo.toml files for rust projects |
|
filesystem/language/swift/packageresolved
Package packageresolved extracts Package.resolved files
|
Package packageresolved extracts Package.resolved files |
|
filesystem/language/swift/podfilelock
Package podfilelock extracts dependencies from Podfile.lock files.
|
Package podfilelock extracts dependencies from Podfile.lock files. |
|
filesystem/language/swift/swiftutils
Package swiftutils provides utilities for parsing Swift podfiles.
|
Package swiftutils provides utilities for parsing Swift podfiles. |
|
filesystem/list
Package list provides a public list of SCALIBR-internal extraction plugins.
|
Package list provides a public list of SCALIBR-internal extraction plugins. |
|
filesystem/misc/chrome/extensions
Package extensions extracts chrome extensions.
|
Package extensions extracts chrome extensions. |
|
filesystem/misc/vscodeextensions
Package vscodeextensions extracts vscode extensions.
|
Package vscodeextensions extracts vscode extensions. |
|
filesystem/misc/wordpress/plugins
Package plugins extracts packages from installed Wordpress plugins.
|
Package plugins extracts packages from installed Wordpress plugins. |
|
filesystem/os/apk
Package apk extracts packages from the APK database.
|
Package apk extracts packages from the APK database. |
|
filesystem/os/apk/apkutil
Package apkutil provides utilities for reading APK package records.
|
Package apkutil provides utilities for reading APK package records. |
|
filesystem/os/apk/metadata
Package metadata defines a Metadata struct for apk packages.
|
Package metadata defines a Metadata struct for apk packages. |
|
filesystem/os/cos
Package cos extracts OS packages from Container Optimized OSes (go/cos).
|
Package cos extracts OS packages from Container Optimized OSes (go/cos). |
|
filesystem/os/cos/metadata
Package metadata defines a metadata struct for COS packages.
|
Package metadata defines a metadata struct for COS packages. |
|
filesystem/os/dpkg
Package dpkg extracts packages from dpkg database.
|
Package dpkg extracts packages from dpkg database. |
|
filesystem/os/dpkg/metadata
Package metadata defined a Metadata struct for DPKG packages.
|
Package metadata defined a Metadata struct for DPKG packages. |
|
filesystem/os/ecosystem
Package ecosystem converts OS package details into PackageURLs.
|
Package ecosystem converts OS package details into PackageURLs. |
|
filesystem/os/flatpak
Package flatpak extracts packages from flatpak metainfo files.
|
Package flatpak extracts packages from flatpak metainfo files. |
|
filesystem/os/flatpak/metadata
Package metadata defines a Metadata struct for flatpak packages.
|
Package metadata defines a Metadata struct for flatpak packages. |
|
filesystem/os/homebrew
Package homebrew extracts package information from OSX homebrew INSTALL_RECEIPT.json files.
|
Package homebrew extracts package information from OSX homebrew INSTALL_RECEIPT.json files. |
|
filesystem/os/kernel/module
Package module extracts .ko files from kernel modules.
|
Package module extracts .ko files from kernel modules. |
|
filesystem/os/kernel/module/metadata
Package metadata defines a metadata struct for kernel modules.
|
Package metadata defines a metadata struct for kernel modules. |
|
filesystem/os/kernel/vmlinuz
Package vmlinuz extracts information about vmlinuz compressed kernel images.
|
Package vmlinuz extracts information about vmlinuz compressed kernel images. |
|
filesystem/os/kernel/vmlinuz/metadata
Package metadata defines a metadata struct for kernel vmlinuz files.
|
Package metadata defines a metadata struct for kernel vmlinuz files. |
|
filesystem/os/macapps
Package macapps extracts applications data from Info.plist files of OS X devices.
|
Package macapps extracts applications data from Info.plist files of OS X devices. |
|
filesystem/os/nix
Package nix extracts packages from the Nix store directory.
|
Package nix extracts packages from the Nix store directory. |
|
filesystem/os/nix/metadata
Package metadata defines a metadata struct for nix packages.
|
Package metadata defines a metadata struct for nix packages. |
|
filesystem/os/osrelease
Package osrelease parses the os-release file.
|
Package osrelease parses the os-release file. |
|
filesystem/os/pacman
Package pacman extracts packages from archlinux desc file.
|
Package pacman extracts packages from archlinux desc file. |
|
filesystem/os/pacman/metadata
Package metadata defines a metadata struct for arch packages.
|
Package metadata defines a metadata struct for arch packages. |
|
filesystem/os/portage
Package portage extracts packages from portage database.
|
Package portage extracts packages from portage database. |
|
filesystem/os/portage/metadata
Package metadata defines a metadata struct for portage packages.
|
Package metadata defines a metadata struct for portage packages. |
|
filesystem/os/purl
Package purl converts OS package details into PackageURLs.
|
Package purl converts OS package details into PackageURLs. |
|
filesystem/os/rpm
Package rpm extracts packages from rpm database.
|
Package rpm extracts packages from rpm database. |
|
filesystem/os/rpm/metadata
Package metadata defines a metadata struct for rpm packages.
|
Package metadata defines a metadata struct for rpm packages. |
|
filesystem/os/snap
Package snap extracts snap packages
|
Package snap extracts snap packages |
|
filesystem/os/snap/metadata
Package metadata defines a metadata struct for SNAP packages.
|
Package metadata defines a metadata struct for SNAP packages. |
|
filesystem/osv
Package osv defines OSV-specific fields for parsed source packages.
|
Package osv defines OSV-specific fields for parsed source packages. |
|
filesystem/sbom/cdx
Package cdx extracts software dependencies from an CycloneDX SBOM.
|
Package cdx extracts software dependencies from an CycloneDX SBOM. |
|
filesystem/sbom/cdx/metadata
Package metadata defines a Metadata struct for CDX packages.
|
Package metadata defines a Metadata struct for CDX packages. |
|
filesystem/sbom/cdx/purl
Package purl extracts the PURL from a CDX package.
|
Package purl extracts the PURL from a CDX package. |
|
filesystem/sbom/spdx
Package spdx extracts software dependencies from an SPDX SBOM.
|
Package spdx extracts software dependencies from an SPDX SBOM. |
|
filesystem/sbom/spdx/metadata
Package metadata defines a Metadata struct for SPDX packages.
|
Package metadata defines a Metadata struct for SPDX packages. |
|
filesystem/sbom/spdx/purl
Package purl extracts the PURL from an SPDX package.
|
Package purl extracts the PURL from an SPDX package. |
|
filesystem/secrets
Package secrets contains a Scalibr filesystem Extractor that wraps the Veles secret scanning library to find secrets (i.e.
|
Package secrets contains a Scalibr filesystem Extractor that wraps the Veles secret scanning library to find secrets (i.e. |
|
filesystem/simplefileapi
Package simplefileapi provides a fake implementation of the filesystem.FileAPI interface.
|
Package simplefileapi provides a fake implementation of the filesystem.FileAPI interface. |
|
standalone
Package standalone provides a way to extract in a standalone mode (e.g.
|
Package standalone provides a way to extract in a standalone mode (e.g. |
|
standalone/containers/containerd
Package containerd extracts container inventory from containerd API.
|
Package containerd extracts container inventory from containerd API. |
|
standalone/containers/containerd/containerdmetadata
Package containerdmetadata defines the metadata for the containerd standalone extractor.
|
Package containerdmetadata defines the metadata for the containerd standalone extractor. |
|
standalone/containers/containerd/fakeclient
Package fakeclient contains a fake implementation of the containerd client for testing purposes.
|
Package fakeclient contains a fake implementation of the containerd client for testing purposes. |
|
standalone/containers/docker
Package docker extracts container inventory from docker API.
|
Package docker extracts container inventory from docker API. |
|
standalone/containers/docker/fakeclient
Package fakeclient contains a fake implementation of the docker client for testing purposes.
|
Package fakeclient contains a fake implementation of the docker client for testing purposes. |
|
standalone/list
Package list contains the list of all standalone extractors.
|
Package list contains the list of all standalone extractors. |
|
standalone/os/netports
Package netports extracts open ports on the system and maps them to running processes when possible.
|
Package netports extracts open ports on the system and maps them to running processes when possible. |
|
standalone/windows/common/metadata
Package metadata provides metadata structures to annotate Windows packages.
|
Package metadata provides metadata structures to annotate Windows packages. |
|
standalone/windows/common/purl
Package purl converts Windows application package details into a PackageURL.
|
Package purl converts Windows application package details into a PackageURL. |
|
standalone/windows/common/winproducts
Package winproducts contains information about Windows products.
|
Package winproducts contains information about Windows products. |
|
standalone/windows/dismpatch
Package dismpatch extract patch level from the DISM command line tool.
|
Package dismpatch extract patch level from the DISM command line tool. |
|
standalone/windows/dismpatch/dismparser
Package dismparser has methods that can be used to parse DISM output
|
Package dismparser has methods that can be used to parse DISM output |
|
standalone/windows/ospackages
Package ospackages extracts installed softwares on Windows.
|
Package ospackages extracts installed softwares on Windows. |
|
standalone/windows/regosversion
Package regosversion extracts the OS version (build, major, minor release) from the registry.
|
Package regosversion extracts the OS version (build, major, minor release) from the registry. |
|
standalone/windows/regpatchlevel
Package regpatchlevel extract patch level from the Windows registry.
|
Package regpatchlevel extract patch level from the Windows registry. |
|
Package fs provides a virtual filesystem interface for SCALIBR scans and related helper functions.
|
Package fs provides a virtual filesystem interface for SCALIBR scans and related helper functions. |
|
diriterate
Package diriterate provides a utility for iterating over the contents of a directory without loading all of it into memory at once.
|
Package diriterate provides a utility for iterating over the contents of a directory without loading all of it into memory at once. |
|
Package guidedremediation provides vulnerability fixing through dependency updates in manifest and lockfiles.
|
Package guidedremediation provides vulnerability fixing through dependency updates in manifest and lockfiles. |
|
internal/lockfile
Package lockfile provides methods for parsing and writing lockfiles.
|
Package lockfile provides methods for parsing and writing lockfiles. |
|
internal/lockfile/npm
Package npm provides the lockfile parsing and writing for the npm package-lock.json format.
|
Package npm provides the lockfile parsing and writing for the npm package-lock.json format. |
|
internal/manifest
Package manifest provides methods for parsing and writing manifest files.
|
Package manifest provides methods for parsing and writing manifest files. |
|
internal/manifest/maven
Package maven provides the manifest parsing and writing for the Maven pom.xml format.
|
Package maven provides the manifest parsing and writing for the Maven pom.xml format. |
|
internal/manifest/npm
Package npm provides the manifest parsing and writing for the npm package.json format.
|
Package npm provides the manifest parsing and writing for the npm package.json format. |
|
internal/manifest/python
Package python provides the manifest parsing and writing for Python requirements.txt.
|
Package python provides the manifest parsing and writing for Python requirements.txt. |
|
internal/matchertest
Package matchertest provides mock matcher for testing.
|
Package matchertest provides mock matcher for testing. |
|
internal/parser
Package parser provides functions for parsing and writing manifest and lockfile files.
|
Package parser provides functions for parsing and writing manifest and lockfile files. |
|
internal/remediation
Package remediation has the vulnerability remediation implementations.
|
Package remediation has the vulnerability remediation implementations. |
|
internal/resolution
Package resolution provides dependency graph resolution and vulnerability findings for guided remediation.
|
Package resolution provides dependency graph resolution and vulnerability findings for guided remediation. |
|
internal/severity
Package severity implements severity calculation for OSV records.
|
Package severity implements severity calculation for OSV records. |
|
internal/strategy/common
Package common implements functions common to multiple remediation strategies.
|
Package common implements functions common to multiple remediation strategies. |
|
internal/strategy/inplace
Package inplace implements the in-place remediation strategy.
|
Package inplace implements the in-place remediation strategy. |
|
internal/strategy/override
Package override implements the override remediation strategy.
|
Package override implements the override remediation strategy. |
|
internal/strategy/relax
Package relax implements the relax remediation strategy.
|
Package relax implements the relax remediation strategy. |
|
internal/strategy/relax/relaxer
Package relaxer implements requirement specification relaxation for ecosystems.
|
Package relaxer implements requirement specification relaxation for ecosystems. |
|
internal/suggest
Package suggest provides the functionality to suggest dependency update patch.
|
Package suggest provides the functionality to suggest dependency update patch. |
|
internal/tui/components
Package components contains some TUI components for the guided remediation interactive CLI.
|
Package components contains some TUI components for the guided remediation interactive CLI. |
|
internal/tui/model
Package model provides the program model for the guided remediation interactive tui.
|
Package model provides the program model for the guided remediation interactive tui. |
|
internal/util
Package util implements some utility functions for guided remediation.
|
Package util implements some utility functions for guided remediation. |
|
internal/vulns
Package vulns implements local matching for OSV records.
|
Package vulns implements local matching for OSV records. |
|
matcher
Package matcher provides the interface for the vulnerability matcher used by guided remediation.
|
Package matcher provides the interface for the vulnerability matcher used by guided remediation. |
|
options
Package options has the configuration options for guided remediation.
|
Package options has the configuration options for guided remediation. |
|
result
Package result defines the remediation result structs
|
Package result defines the remediation result structs |
|
strategy
Package strategy provides the guided remediation strategies.
|
Package strategy provides the guided remediation strategies. |
|
upgrade
Package upgrade provides the configuration for the allowable package upgrade levels for remediation.
|
Package upgrade provides the configuration for the allowable package upgrade levels for remediation. |
|
internal
|
|
|
dependencyfile/packagelockjson
Package packagelockjson provides the structures for npm's package-lock.json lockfile format.
|
Package packagelockjson provides the structures for npm's package-lock.json lockfile format. |
|
mavenutil
Package mavenutil provides utilities for merging Maven pom/xml.
|
Package mavenutil provides utilities for merging Maven pom/xml. |
|
Package inventory stores the scan result types SCALIBR can return.
|
Package inventory stores the scan result types SCALIBR can return. |
|
vex
Package vex stores data structures used to represent exploitability signals in SCALIBR scan results.
|
Package vex stores data structures used to represent exploitability signals in SCALIBR scan results. |
|
Package log defines SCALIBR's logger interface.
|
Package log defines SCALIBR's logger interface. |
|
Package packageindex is a wrapper around the collected package, which provides methods for fast lookup of identified software.
|
Package packageindex is a wrapper around the collected package, which provides methods for fast lookup of identified software. |
|
Package plugin collects the common code used by extractor and detector plugins.
|
Package plugin collects the common code used by extractor and detector plugins. |
|
list
Package list provides a functions for accessing SCALIBR-specific plugins from their respective type-specific lists.
|
Package list provides a functions for accessing SCALIBR-specific plugins from their respective type-specific lists. |
|
Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation.
|
Package purl provides functions to code and decode package url according to the spec: https://github.com/package-url/purl-spec This package is a convenience wrapper and abstraction layer around an existing open source implementation. |
|
Package result provides the ScanResult struct.
|
Package result provides the ScanResult struct. |
|
Package semantic provides version parsing and comparison for various ecosystems, matching the native versioning rules of each ecosystem.
|
Package semantic provides version parsing and comparison for various ecosystems, matching the native versioning rules of each ecosystem. |
|
Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr.
|
Package stats contains interfaces and utilities relating to the collection of statistics from Scalibr. |
|
testing
|
|
|
extracttest
Package extracttest provides structures to help create tabular tests for extractors.
|
Package extracttest provides structures to help create tabular tests for extractors. |
|
fakedetector
Package fakedetector provides a Detector implementation to be used in tests.
|
Package fakedetector provides a Detector implementation to be used in tests. |
|
fakeenricher
Package fakeenricher provides an Enricher implementation to be used in tests.
|
Package fakeenricher provides an Enricher implementation to be used in tests. |
|
fakeextractor
Package fakeextractor provides a Extractor implementation to be used in tests.
|
Package fakeextractor provides a Extractor implementation to be used in tests. |
|
fakefs
Package fakefs provides a fake file system implementation for testing.
|
Package fakefs provides a fake file system implementation for testing. |
|
mockregistry
Package mockregistry provides a mock implementation of the registry.Registry interface.
|
Package mockregistry provides a mock implementation of the registry.Registry interface. |
|
testcollector
Package testcollector provides an implementation of stats.Collector that stores recorded metrics for verification in tests.
|
Package testcollector provides an implementation of stats.Collector that stores recorded metrics for verification in tests. |
|
Package veles is a standalone secret scanning library.
|
Package veles is a standalone secret scanning library. |
|
secrets/common/flatjson
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings.
|
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings. |
|
secrets/common/simpletoken
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression.
|
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression. |
|
secrets/gcpapikey
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview).
|
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview). |
|
secrets/gcpsak
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys.
|
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys. |
|
secrets/rubygemsapikey
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/).
|
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/). |
|
velestest
Package velestest contains fakes that can be used to test parts of Veles as well as integrations.
|
Package velestest contains fakes that can be used to test parts of Veles as well as integrations. |
Click to show internal directories.
Click to hide internal directories.