github.com/google/osv-scalibr@v0.4.1/README.md (about) 1 # OSV-SCALIBR 2 3 [](https://pkg.go.dev/github.com/google/osv-scalibr) 4 5 OSV-SCALIBR (Software Composition Analysis Library) is an extensible library 6 providing: 7 8 - File system scanner used to extract software inventory data (e.g. 9 installed language packages) and detect known vulnerabilities or generate SBOMs. 10 See the 11 [list of currently supported software inventory types](docs/supported_inventory_types.md). 12 - Container analysis functionality (e.g. layer-based extraction) 13 - Guided Remediation (generating upgrade patches for transitive vulnerabilities) 14 - And more! 15 16 This can be used as a library with a custom wrapper to perform scans on e.g. 17 container images (only linux-based currently) or remote hosts, or via the 18 [OSV-Scanner CLI](https://github.com/google/osv-scanner). It comes with built-in 19 plugins for inventory extraction and vulnerability detection and it also allows 20 users to run their custom plugins. 21 22 ## Prerequisites 23 24 To build OSV-SCALIBR, you'll need to have `go` installed. Follow 25 https://go.dev/doc/install. 26 27 ## How to use 28 29 ### Via the OSV-Scanner CLI 30 31 If your use case is known vulnerability scanning and extraction in a CLI 32 context, check out the 33 [OSV-Scanner usage guide](https://google.github.io/osv-scanner/usage/). 34 35 **Note:** Not all OSV-SCALIBR functionality is available via OSV-Scanner yet. 36 Check out [this migration guide](https://google.github.io/osv-scanner/migrating-from-scalibr.html) 37 for more information. 38 39 ### Via the OSV-SCALIBR wrapper binary 40 41 1. `go install github.com/google/osv-scalibr/binary/scalibr@latest` 42 1. `scalibr --result=result.textproto` 43 44 See the [result proto definition](/binary/proto/scan_result.proto) for details 45 about the scan result format. 46 47 Run `scalibr --help` for a list of additional CLI args. 48 49 ### As a library: 50 51 1. Import `github.com/google/osv-scalibr` into your Go project 52 1. Create a new [scalibr.ScanConfig](/scalibr.go#L36) struct, configure the 53 extraction and detection plugins to run 54 1. Call `scalibr.New().Scan()` with the config 55 1. Parse the returned [scalibr.ScanResults](/scalibr.go#L50) 56 57 See below for an example code snippet. 58 59 ### On a container image 60 61 Add the `--remote-image` flag to scan a remote container image. Example: 62 63 ``` 64 scalibr --result=result.textproto --remote-image=alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 65 ``` 66 67 Or the `--image-tarball` flag to scan a locally saved image tarball like ones 68 produced with `docker save my-image > my-image.tar`. Example: 69 70 ``` 71 scalibr --result=result.textproto --image-tarball=my-image.tar 72 ``` 73 74 Note: As mentioned previously only linux-based container images are supported 75 currently. Follow issue [#953](https://github.com/google/osv-scalibr/issues/953) 76 for tracking Windows image container scanning support. 77 78 ### SPDX generation 79 80 OSV-SCALIBR supports generating the result of inventory extraction as an SPDX 81 v2.3 file in json, yaml or tag-value format. Example usage: 82 83 ``` 84 scalibr -o spdx23-json=result.spdx.json 85 ``` 86 87 Some fields in the generated SPDX can be overwritten: 88 89 ``` 90 scalibr -spdx-document-name="Custom name" --spdx-document-namespace="Custom-namespace" --spdx-creators=Organization:Google -o spdx23-json=result.spdx.json 91 ``` 92 93 ## Running built-in plugins 94 95 ### With the standalone binary 96 97 The binary runs SCALIBR's "recommended" internal plugins by default. You can 98 enable more plugins with the `--plugins=` flags. See the 99 definition files for a list of all built-in plugins and their CLI flags 100 ([extractors (fs)](/extractor/filesystem/list/list.go), 101 [extractors (standalone)](/extractor/filesystem/list/list.go), 102 [detectors](/detector/list/list.go), 103 [annotators](/annotator/list/list.go), 104 [enrichers](/enricher/enricherlist/list.go)). 105 106 ### With the library 107 108 A collection of all built-in plugin modules can be found in the definition files 109 ([extractors (fs)](/extractor/filesystem/list/list.go), 110 [extractors (standalone)](/extractor/filesystem/list/list.go), 111 [detectors](/detector/list/list.go), 112 [annotators](/annotator/list/list.go), 113 [enrichers](/enricher/enricherlist/list.go)). 114 To enable them, just import plugin/list and add the appropriate plugin names 115 to the scan config, e.g. 116 ``` 117 import ( 118 "context" 119 scalibr "github.com/google/osv-scalibr" 120 pl "github.com/google/osv-scalibr/plugin/list" 121 scalibrfs "github.com/google/osv-scalibr/fs" 122 ) 123 plugins, _ := pl.FromNames([]string{"os", "cis", "vex"}) 124 cfg := &scalibr.ScanConfig{ 125 ScanRoots: scalibrfs.RealFSScanRoots("/"), 126 Plugins: plugins, 127 } 128 results := scalibr.New().Scan(context.Background(), cfg) 129 ``` 130 131 You can also specify your scanning host's capabilities to only enable plugins 132 whose requirements are satisfied (e.g. network access, OS-specific plugins): 133 134 ``` 135 import ( 136 ... 137 "github.com/google/osv-scalibr/plugin" 138 ) 139 capab := &plugin.Capabilities{ 140 OS: plugin.OSLinux, 141 Network: plugin.NetworkOnline, 142 DirectFS: true, 143 RunningSystem: true, 144 } 145 ... 146 cfg := &scalibr.ScanConfig{ 147 ScanRoots: scalibrfs.RealFSScanRoots("/"), 148 Plugins: plugin.FilterByCapabilities(plugins, capab), 149 } 150 ... 151 ``` 152 153 ## Creating + running custom plugins 154 155 Custom plugins can only be run when using OSV-SCALIBR as a library. 156 157 1. Create an implementation of the OSV-SCALIBR 158 [Extractor](/extractor/filesystem/extractor.go#L30) or 159 [Detector](/detector/detector.go#L28) interface. 160 2. Add the newly created struct to the scan config and run the scan, e.g. 161 162 ``` 163 import ( 164 "github.com/google/osv-scalibr/plugin" 165 scalibr "github.com/google/osv-scalibr" 166 ) 167 cfg := &scalibr.ScanConfig{ 168 Root: "/", 169 Plugins: []plugin.Plugin{&myExtractor{}}, 170 } 171 results := scalibr.New().Scan(context.Background(), cfg) 172 ``` 173 174 ### A note on cross-platform 175 176 OSV-SCALIBR is compatible with Linux and has experimental support for Windows 177 and Mac. When a new plugin is implemented for OSV-SCALIBR, we need to ensure 178 that it will not break other platforms. Our runners will generally catch 179 compatibility issues, but to ensure everything is easy when implementing a 180 plugin, here are a few recommendations to keep in mind: 181 182 * Ensure you work with file paths using the `filepath` library. For example, 183 avoid using `/my/path` but prefer `filepath.Join('my', 'path')` instead. 184 * If the plugin can only support one system (e.g. a windows-specific 185 detector), the layout will generally be to have two versions of the file: 186 * `file_system.go`: where `system` is the targeted system (e.g. 187 `file_windows.go`) that contains the code specific to the target system. 188 It must also contain the adequate go build constraint. 189 * `file_dummy.go`: contains the code for every other system. It generally 190 does nothing and just ensures that the code compiles on that system; 191 * Because of the way our internal automation works, we generally require unit 192 tests to be defined for every platform and be filtered out dynamically if 193 not compatible. In other words, a test should be filtered in/out using `if 194 runtime.GOOS` rather than a `//go:build` constraint. Here is an 195 [example](https://github.com/google/osv-scalibr/commit/7a87679f5c688e7bac4527d29c1823597a52bb40#diff-72efad005e0fbfe34c60e496dfb55ec15fc50f4b12be0934f08a3acaf7733616L79). 196 197 ## Custom logging 198 199 You can make the OSV-SCALIBR library log using your own custom logger by passing 200 an implementation of the [`log.Logger`](/log/log.go#L22) interface to 201 `log.SetLogger()`: 202 203 ``` 204 import ( 205 customlog "path/to/custom/log" 206 "github.com/google/osv-scalibr/log" 207 scalibr "github.com/google/osv-scalibr" 208 ) 209 cfg := &scalibr.ScanConfig{ScanRoot: "/"} 210 log.SetLogger(&customlog.Logger{}) 211 results := scalibr.New().Scan(context.Background(), cfg) 212 log.Info(results) 213 ``` 214 215 ## Contributing 216 217 Read how to [contribute to OSV-SCALIBR](CONTRIBUTING.md). 218 219 Look for any [open issues](https://github.com/google/osv-scalibr/issues?q=is%3Aissue%20state%3Aopen%20-label%3APRP) 220 or [unowned Patch Reward work](https://github.com/google/osv-scalibr/issues?q=is%3Aissue%20state%3Aopen%20label%3APRP%3AInactive) 221 you'd like to contribute to. 222 223 To build and test your local changes, run `make` and `make test`. A local 224 `scalibr` binary will be generated in the repo base. 225 226 Some of your code contributions might require regenerating protos. This can 227 happen when, say, you want to contribute a new inventory type. For such cases, 228 you'll need to install a few dependencies: 229 230 * `protoc`: Install the appropriate 231 [precompiled protoc binary](https://grpc.io/docs/protoc-installation/#install-pre-compiled-binaries-any-os). 232 * For Mac, you can also 233 [install via HomeBrew](https://grpc.io/docs/protoc-installation/#install-using-a-package-manager). 234 * `protoc-gen-go`: Run `go install 235 google.golang.org/protobuf/cmd/protoc-gen-go` 236 237 and then run `make protos` or `./build_protos.sh`. 238 239 ## Disclaimers 240 241 OSV-SCALIBR is not an official Google product.