供应链情报收集 on Linux邪修

OWASP Dependency-Check使用教程

Mon, 01 Jan 0001 00:00:00 +0000

OWASP Dependency-Check使用教程#

软件介绍#

OWASP Dependency-Check是一款软件组成分析（SCA）工具，用于识别项目依赖项中的已知漏洞。它扫描应用程序的依赖项，并与国家漏洞数据库（NVD）等漏洞数据库进行比对，生成包含漏洞信息的报告。

主要功能#

依赖项漏洞扫描
多种包管理器支持
漏洞数据库查询
风险评估和评分
多种报告格式
CI/CD集成
自定义规则配置
增量扫描

适用场景#

软件供应链安全
依赖项安全审计
漏洞风险评估
合规性检查
CI/CD安全集成
安全开发流程

入门级使用#

安装Dependency-Check#

使用包管理器安装#

# 使用Homebrew安装（macOS）
brew install dependency-check

# 使用Chocolatey安装（Windows）
choco install dependency-check

# 使用APT安装（Ubuntu/Debian）
sudo apt-get install dependency-check

使用Docker安装#

# 使用Docker运行
docker run --rm -v $(pwd):/src owasp/dependency-check:latest --scan /src

# 或下载独立版本
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.0/dependency-check-8.4.0-release.zip
unzip dependency-check-8.4.0-release.zip
cd dependency-check-8.4.0

使用Homebrew安装（推荐）#

# 安装Homebrew（如果未安装）
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# 安装Dependency-Check
brew install dependency-check

# 验证安装
dependency-check --version

基本扫描#

扫描Java项目#

# 扫描Maven项目
dependency-check --scan ./target --out ./reports

# 扫描Gradle项目
dependency-check --scan ./build --out ./reports

# 扫描特定JAR文件
dependency-check --scan ./lib/myapp.jar --out ./reports

扫描Node.js项目#

# 扫描package.json
dependency-check --scan ./package.json --out ./reports

# 扫描node_modules目录
dependency-check --scan ./node_modules --out ./reports

# 扫描yarn.lock
dependency-check --scan ./yarn.lock --out ./reports

扫描Python项目#

# 扫描requirements.txt
dependency-check --scan ./requirements.txt --out ./reports

# 扫描Pipfile
dependency-check --scan ./Pipfile --out ./reports

# 扫描setup.py
dependency-check --scan ./setup.py --out ./reports

初级使用#

扫描不同类型的项目#

扫描.NET项目#

# 扫描.csproj文件
dependency-check --scan ./MyProject.csproj --out ./reports

# 扫描packages.config
dependency-check --scan ./packages.config --out ./reports

# 扫描bin目录
dependency-check --scan ./bin --out ./reports

扫描Ruby项目#

# 扫描Gemfile
dependency-check --scan ./Gemfile --out ./reports

# 扫描Gemfile.lock
dependency-check --scan ./Gemfile.lock --out ./reports

扫描Go项目#

# 扫描go.mod
dependency-check --scan ./go.mod --out ./reports

# 扫描go.sum
dependency-check --scan ./go.sum --out ./reports

报告格式#

生成HTML报告#

# 生成HTML报告（默认）
dependency-check --scan ./target --out ./reports --format HTML

# 指定报告文件名
dependency-check --scan ./target --out ./reports/dependency-check-report.html

生成XML报告#

# 生成XML报告
dependency-check --scan ./target --out ./reports --format XML

# 用于CI/CD集成
dependency-check --scan ./target --out ./reports/dependency-check-report.xml --format XML

生成JSON报告#

# 生成JSON报告
dependency-check --scan ./target --out ./reports --format JSON

# 用于自动化处理
dependency-check --scan ./target --out ./reports/dependency-check-report.json --format JSON

生成CSV报告#

# 生成CSV报告
dependency-check --scan ./target --out ./reports --format CSV

# 用于数据分析
dependency-check --scan ./target --out ./reports/dependency-check-report.csv --format CSV

中级使用#

高级扫描选项#

排除特定依赖#

# 排除特定文件
dependency-check --scan ./target --out ./reports --exclude "test-*.jar"

# 排除特定目录
dependency-check --scan ./target --out ./reports --exclude "*/test/*"

# 使用正则表达式排除
dependency-check --scan ./target --out ./reports --exclude ".*-test\\.jar"

指定扫描深度#

# 递归扫描
dependency-check --scan ./target --out ./reports --recursive

# 限制扫描深度
dependency-check --scan ./target --out ./reports --depth 3

# 不递归扫描
dependency-check --scan ./target --out ./reports --no-recursive

配置数据缓存#

# 使用本地缓存
dependency-check --scan ./target --out ./reports --data /path/to/cache

# 更新缓存
dependency-check --updateOnly

# 指定缓存目录
dependency-check --scan ./target --out ./reports --cache ./cache

自定义配置#

使用配置文件#

# 创建配置文件
cat > dependency-check-config.properties << EOF
# Dependency-Check配置文件

# 扫描目录
scan.path=./target

# 输出目录
out.path=./reports

# 报告格式
format=HTML,XML

# 排除模式
exclude=.*-test\\.jar

# 递归扫描
recursive=true

# 缓存目录
cache=./cache

# 数据目录
data=./data

EOF

# 使用配置文件
dependency-check --config dependency-check-config.properties

自定义漏洞数据库#

# 使用自定义NVD数据库
dependency-check --scan ./target --out ./reports --nvd /path/to/nvd

# 使用自定义漏洞数据库
dependency-check --scan ./target --out ./reports --suppression /path/to/suppressions.xml

# 禁用特定数据库
dependency-check --scan ./target --out ./reports --disableExperimental

中上级使用#

CI/CD集成#

Jenkins集成#

// Jenkinsfile示例
pipeline {
 agent any
 
 stages {
 stage('Dependency Check') {
 steps {
 script {
 // 运行Dependency-Check
 sh 'dependency-check --scan ./target --out ./reports --format XML'
 
 // 解析结果
 dependencyCheckPublisher(
 pattern: 'reports/dependency-check-report.xml',
 failedTotalHigh: 0,
 failedTotalMedium: 10
 )
 }
 }
 }
 }
 
 post {
 always {
 // 归档报告
 archiveArtifacts artifacts: 'reports/**/*', fingerprint: true
 }
 }
}

GitHub Actions集成#

# .github/workflows/dependency-check.yml
name: Dependency Check

on:
 push:
 branches: [ main ]
 pull_request:
 branches: [ main ]
 schedule:
 - cron: '0 0 * * 0' # 每周运行一次

jobs:
 dependency-check:
 runs-on: ubuntu-latest
 
 steps:
 - uses: actions/checkout@v2
 
 - name: Run Dependency Check
 uses: dependency-check/Dependency-Check_Action@main
 with:
 project: 'my-project'
 path: '.'
 format: 'HTML'
 out: 'reports'
 
 - name: Upload Dependency Check Report
 uses: actions/upload-artifact@v2
 with:
 name: dependency-check-report
 path: reports/

GitLab CI集成#

# .gitlab-ci.yml
stages:
 - dependency-check

dependency-check:
 stage: dependency-check
 image: owasp/dependency-check:latest
 script:
 - dependency-check --scan . --out ./reports --format XML
 artifacts:
 paths:
 - reports/
 expire_in: 1 week
 allow_failure: true

自动化脚本#

批量扫描多个项目#

#!/bin/bash
# 批量扫描多个项目脚本

PROJECTS_DIR="/path/to/projects"
REPORTS_DIR="./reports"
mkdir -p "$REPORTS_DIR"

# 遍历所有项目
for project in "$PROJECTS_DIR"/*/; do
 project_name=$(basename "$project")
 echo "扫描项目: $project_name"
 
 # 运行扫描
 dependency-check --scan "$project" --out "$REPORTS_DIR/$project_name" --format HTML,XML
 
 # 检查是否有高危漏洞
 if grep -q "HIGH" "$REPORTS_DIR/$project_name/dependency-check-report.xml"; then
 echo "警告: $project_name 发现高危漏洞"
 fi
done

echo "批量扫描完成"

定期扫描脚本#

#!/bin/bash
# 定期扫描脚本

PROJECT_DIR="/path/to/project"
REPORTS_DIR="./reports"
LOG_FILE="./dependency-check.log"

# 记录日志
log() {
 echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}

# 更新漏洞数据库
log "更新漏洞数据库"
dependency-check --updateOnly

# 运行扫描
log "开始扫描项目"
dependency-check --scan "$PROJECT_DIR" --out "$REPORTS_DIR" --format HTML,XML

# 检查扫描结果
if [ $? -eq 0 ]; then
 log "扫描成功完成"
else
 log "扫描失败，退出码: $?"
fi

# 发送通知（如果有漏洞）
if grep -q "HIGH" "$REPORTS_DIR/dependency-check-report.xml"; then
 log "发现高危漏洞，发送通知"
 # 这里可以添加邮件或Slack通知
fi

log "扫描流程结束"

高级使用#

风险评估#

漏洞严重性分析#

#!/usr/bin/env python3
import xml.etree.ElementTree as ET
import json

def analyze_vulnerabilities(xml_file):
 """分析漏洞严重性"""
 
 tree = ET.parse(xml_file)
 root = tree.getroot()
 
 vulnerabilities = {
 "critical": [],
 "high": [],
 "medium": [],
 "low": [],
 "info": []
 }
 
 for dependency in root.findall(".//dependency"):
 for vuln in dependency.findall(".//vulnerability"):
 severity = vuln.get("severity", "UNKNOWN")
 name = dependency.get("filename")
 
 if severity == "CRITICAL":
 vulnerabilities["critical"].append(name)
 elif severity == "HIGH":
 vulnerabilities["high"].append(name)
 elif severity == "MEDIUM":
 vulnerabilities["medium"].append(name)
 elif severity == "LOW":
 vulnerabilities["low"].append(name)
 else:
 vulnerabilities["info"].append(name)
 
 return vulnerabilities

# 使用示例
vulns = analyze_vulnerabilities("reports/dependency-check-report.xml")
print(json.dumps(vulns, indent=2))

CVSS评分分析#

#!/usr/bin/env python3
import xml.etree.ElementTree as ET
from collections import defaultdict

def analyze_cvss_scores(xml_file):
 """分析CVSS评分"""
 
 tree = ET.parse(xml_file)
 root = tree.getroot()
 
 cvss_scores = defaultdict(list)
 
 for dependency in root.findall(".//dependency"):
 for vuln in dependency.findall(".//vulnerability"):
 cvss = vuln.find(".//cvssScore")
 if cvss is not None:
 score = float(cvss.text)
 name = dependency.get("filename")
 cvss_scores[name].append(score)
 
 # 计算平均CVSS评分
 avg_scores = {}
 for name, scores in cvss_scores.items():
 avg_scores[name] = sum(scores) / len(scores)
 
 return avg_scores

# 使用示例
scores = analyze_cvss_scores("reports/dependency-check-report.xml")
for name, score in sorted(scores.items(), key=lambda x: x[1], reverse=True):
 print(f"{name}: {score:.2f}")

自定义规则#

创建抑制规则#

<?xml version="1.0" encoding="UTF-8"?>
<suppressions>
 <!-- 抑制特定CVE -->
 <suppress>
 <notes><![CDATA[
 假阳性：该CVE不适用于我们的使用场景
 ]]></notes>
 <cve>CVE-2021-12345</cve>
 </suppress>
 
 <!-- 抑制特定依赖 -->
 <suppress>
 <notes><![CDATA[
 内部依赖，不对外暴露
 ]]></notes>
 <packageUrl regex="true">^pkg:maven/com\.mycompany/.*@.*$</packageUrl>
 </suppress>
 
 <!-- 抑制特定文件 -->
 <suppress>
 <notes><![CDATA[
 测试依赖，不用于生产
 ]]></notes>
 <filePath regex="true">.*/test/.*</filePath>
 </suppress>
 
 <!-- 抑制低严重性漏洞 -->
 <suppress>
 <notes><![CDATA[
 低严重性漏洞，已计划修复
 ]]></notes>
 <severity>LOW</severity>
 </suppress>
</suppressions>

使用抑制规则#

# 使用抑制规则文件
dependency-check --scan ./target --out ./reports \
 --suppression suppressions.xml

# 多个抑制规则文件
dependency-check --scan ./target --out ./reports \
 --suppression suppressions1.xml \
 --suppression suppressions2.xml

大师级使用#

企业级部署#

集中式扫描服务#

#!/bin/bash
# 集中式扫描服务脚本

SCAN_QUEUE="/path/to/scan_queue"
SCAN_RESULTS="/path/to/scan_results"
LOG_FILE="/var/log/dependency-check-service.log"

# 初始化队列
mkdir -p "$SCAN_QUEUE" "$SCAN_RESULTS"

# 扫描函数
scan_project() {
 local project_path=$1
 local project_name=$(basename "$project_path")
 local result_dir="$SCAN_RESULTS/$project_name"
 
 echo "$(date): 开始扫描 $project_name" >> "$LOG_FILE"
 
 # 创建结果目录
 mkdir -p "$result_dir"
 
 # 运行扫描
 dependency-check --scan "$project_path" --out "$result_dir" \
 --format HTML,XML,JSON
 
 # 记录结果
 if [ $? -eq 0 ]; then
 echo "$(date): $project_name 扫描成功" >> "$LOG_FILE"
 else
 echo "$(date): $project_name 扫描失败" >> "$LOG_FILE"
 fi
}

# 监控队列
while true; do
 for project in "$SCAN_QUEUE"/*; do
 if [ -f "$project" ]; then
 project_path=$(cat "$project")
 scan_project "$project_path"
 
 # 移除已处理的任务
 rm "$project"
 fi
 done
 
 sleep 60 # 每分钟检查一次
done

分布式扫描#

#!/usr/bin/env python3
import subprocess
import multiprocessing
import os

def scan_project(project_path, output_dir):
 """扫描单个项目"""
 cmd = [
 "dependency-check",
 "--scan", project_path,
 "--out", output_dir,
 "--format", "XML"
 ]
 
 result = subprocess.run(cmd, capture_output=True, text=True)
 return result.returncode, result.stdout, result.stderr

def distributed_scan(projects, output_base_dir, workers=4):
 """分布式扫描"""
 
 os.makedirs(output_base_dir, exist_ok=True)
 
 # 创建进程池
 with multiprocessing.Pool(workers) as pool:
 results = []
 
 for project in projects:
 project_name = os.path.basename(project)
 output_dir = os.path.join(output_base_dir, project_name)
 
 result = pool.apply_async(scan_project, (project, output_dir))
 results.append(result)
 
 # 等待所有任务完成
 for result in results:
 returncode, stdout, stderr = result.get()
 
 if returncode != 0:
 print(f"扫描失败: {stderr}")
 else:
 print(f"扫描成功: {stdout}")

# 使用示例
projects = [
 "/path/to/project1",
 "/path/to/project2",
 "/path/to/project3"
]

distributed_scan(projects, "./scan_results", workers=4)

高级分析#

依赖关系分析#

#!/usr/bin/env python3
import xml.etree.ElementTree as ET
import networkx as nx
import matplotlib.pyplot as plt

def build_dependency_graph(xml_file):
 """构建依赖关系图"""
 
 tree = ET.parse(xml_file)
 root = tree.getroot()
 
 G = nx.DiGraph()
 
 for dependency in root.findall(".//dependency"):
 name = dependency.get("filename")
 
 # 添加节点
 G.add_node(name)
 
 # 添加依赖关系
 for child in dependency.findall(".//dependency"):
 child_name = child.get("filename")
 G.add_edge(name, child_name)
 
 return G

def visualize_graph(G, output_file="dependency_graph.png"):
 """可视化依赖关系图"""
 
 plt.figure(figsize=(12, 8))
 pos = nx.spring_layout(G)
 
 nx.draw(G, pos, with_labels=True, node_size=3000,
 node_color='lightblue', font_size=8)
 
 plt.savefig(output_file, dpi=300, bbox_inches='tight')
 plt.close()

# 使用示例
G = build_dependency_graph("reports/dependency-check-report.xml")
visualize_graph(G, "dependency_graph.png")

趋势分析#

#!/usr/bin/env python3
import xml.etree.ElementTree as ET
import json
from datetime import datetime
import matplotlib.pyplot as plt

def extract_vulnerability_data(xml_file):
 """提取漏洞数据"""
 
 tree = ET.parse(xml_file)
 root = tree.getroot()
 
 data = {
 "timestamp": datetime.now().isoformat(),
 "total": 0,
 "critical": 0,
 "high": 0,
 "medium": 0,
 "low": 0
 }
 
 for dependency in root.findall(".//dependency"):
 for vuln in dependency.findall(".//vulnerability"):
 severity = vuln.get("severity", "UNKNOWN")
 data["total"] += 1
 
 if severity == "CRITICAL":
 data["critical"] += 1
 elif severity == "HIGH":
 data["high"] += 1
 elif severity == "MEDIUM":
 data["medium"] += 1
 elif severity == "LOW":
 data["low"] += 1
 
 return data

def analyze_trend(data_files):
 """分析漏洞趋势"""
 
 trend_data = []
 
 for file in data_files:
 data = extract_vulnerability_data(file)
 trend_data.append(data)
 
 # 绘制趋势图
 timestamps = [d["timestamp"] for d in trend_data]
 critical = [d["critical"] for d in trend_data]
 high = [d["high"] for d in trend_data]
 medium = [d["medium"] for d in trend_data]
 
 plt.figure(figsize=(12, 6))
 plt.plot(timestamps, critical, label='Critical', color='red')
 plt.plot(timestamps, high, label='High', color='orange')
 plt.plot(timestamps, medium, label='Medium', color='yellow')
 
 plt.xlabel('Time')
 plt.ylabel('Vulnerability Count')
 plt.title('Vulnerability Trend')
 plt.legend()
 plt.xticks(rotation=45)
 plt.tight_layout()
 
 plt.savefig('vulnerability_trend.png', dpi=300)
 plt.close()

# 使用示例
data_files = [
 "reports/scan1.xml",
 "reports/scan2.xml",
 "reports/scan3.xml"
]

analyze_trend(data_files)

实战案例#

案例1: Java项目安全审计#

场景描述#

对Java项目进行全面的安全审计，识别依赖项中的已知漏洞。

Snyk使用教程

Mon, 01 Jan 0001 00:00:00 +0000

Snyk使用教程#

软件介绍#

Snyk是一款专业的软件供应链安全平台，专注于发现和修复应用程序依赖项中的已知漏洞。它提供全面的漏洞数据库、实时监控和自动化修复功能，是现代DevSecOps流程中的重要工具。

主要功能#

依赖项漏洞扫描
实时漏洞监控
自动化修复建议
许可证合规性检查
容器安全扫描
基础设施即代码扫描
CI/CD集成
企业级管理

适用场景#

软件供应链安全
依赖项安全审计
DevSecOps流程集成
漏洞风险管理
合规性检查
持续安全监控

入门级使用#

安装Snyk CLI#

使用npm安装#

# 安装Snyk CLI
npm install -g snyk

# 验证安装
snyk --version

使用Homebrew安装#

# 安装Homebrew（如果未安装）
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# 安装Snyk CLI
brew install snyk

# 验证安装
snyk --version

使用Docker安装#

# 使用Docker运行
docker run --rm -v $(pwd):/project snyk/snyk:latest

# 或创建别名
alias snyk='docker run --rm -v $(pwd):/project snyk/snyk:latest'

注册和认证#

注册Snyk账号#

# 注册Snyk账号
snyk auth

# 按提示完成注册和认证

# 或使用令牌认证
snyk auth <your-auth-token>

配置组织#

# 设置默认组织
snyk config set org=your-org-name

# 查看当前配置
snyk config get

# 查看所有配置
snyk config

基本扫描#

扫描Node.js项目#

# 扫描当前目录
snyk test

# 扫描特定目录
snyk test ./my-project

# 扫描package.json
snyk test package.json

# 扫描yarn.lock
snyk test yarn.lock

扫描Python项目#

# 扫描requirements.txt
snyk test requirements.txt

# 扫描Pipfile
snyk test Pipfile

# 扫描setup.py
snyk test setup.py

# 扫描poetry.lock
snyk test poetry.lock

扫描Java项目#

# 扫描Maven项目
snyk test --file=pom.xml

# 扫描Gradle项目
snyk test --file=build.gradle

# 扫描特定JAR文件
snyk test myapp.jar

初级使用#

扫描不同类型的项目#

扫描.NET项目#

# 扫描.csproj文件
snyk test --file=MyProject.csproj

# 扫描packages.config
snyk test packages.config

# 扫描项目解决方案
snyk test MySolution.sln

扫描Ruby项目#

# 扫描Gemfile
snyk test Gemfile

# 扫描Gemfile.lock
snyk test Gemfile.lock

扫描Go项目#

# 扫描go.mod
snyk test go.mod

# 扫描go.sum
snyk test go.sum

扫描PHP项目#

# 扫描composer.json
snyk test composer.json

# 扫描composer.lock
snyk test composer.lock

监控项目#

启用持续监控#

# 监控当前项目
snyk monitor

# 监控特定目录
snyk monitor ./my-project

# 监控并设置标签
snyk monitor --tags=production,web-app

# 监控并设置项目名称
snyk monitor --project-name=my-awesome-project

查看监控状态#

# 查看所有监控的项目
snyk projects

# 查看特定项目的详情
snyk test --json | jq .

# 查看项目统计
snyk test --json | jq '.vulnerabilities | length'

中级使用#

漏洞修复#

自动修复漏洞#

# 自动修复所有漏洞
snyk wizard

# 交互式修复
snyk wizard

# 修复特定漏洞
snyk fix --severity=high

# 修复特定类型的漏洞
snyk fix --type=dev

查看修复建议#

# 查看修复建议
snyk test --json | jq '.vulnerabilities[] | {id, title, severity, fixVersion}'

# 查看可修复的漏洞
snyk test --json | jq '.vulnerabilities[] | select(.fixVersion)'

# 查看不可修复的漏洞
snyk test --json | jq '.vulnerabilities[] | select(.fixVersion == null)'

高级扫描选项#

按严重性过滤#

# 只显示高危漏洞
snyk test --severity-threshold=high

# 只显示中危及以上漏洞
snyk test --severity-threshold=medium

# 只显示特定严重性的漏洞
snyk test --severity=high

按CVSS评分过滤#

# 只显示CVSS评分大于7的漏洞
snyk test --cvss-threshold=7

# 只显示CVSS评分大于9的漏洞
snyk test --cvss-threshold=9

排除特定依赖#

# 排除特定依赖
snyk test --exclude=lodash

# 排除多个依赖
snyk test --exclude=lodash,express

# 使用配置文件排除
cat > .snyk << EOF
exclude:
 - lodash
 - express
 - moment
EOF

snyk test

报告生成#

生成JSON报告#

# 生成JSON报告
snyk test --json > report.json

# 美化JSON输出
snyk test --json | jq .

# 提取漏洞信息
snyk test --json | jq '.vulnerabilities[]'

生成HTML报告#

# 生成HTML报告
snyk test --json | snyk-to-html -o report.html

# 使用Snyk Web界面
snyk test --json > report.json
# 然后在Snyk Web界面中查看

生成SARIF报告#

# 生成SARIF报告（用于GitHub）
snyk test --sarif-file-output=snyk.sarif

# 上传到GitHub
gh api repos/:owner/:repo/code-scanning/sarifs \
 -X POST \
 -f commit_sha=$(git rev-parse HEAD) \
 -f ref=$(git rev-parse --abbrev-ref HEAD) \
 -f sarif=@snyk.sarif

中上级使用#

CI/CD集成#

GitHub Actions集成#

# .github/workflows/snyk.yml
name: Snyk Security Scan

on:
 push:
 branches: [ main ]
 pull_request:
 branches: [ main ]
 schedule:
 - cron: '0 0 * * 0' # 每周运行一次

jobs:
 security:
 runs-on: ubuntu-latest
 
 steps:
 - uses: actions/checkout@v2
 
 - name: Run Snyk to check for vulnerabilities
 uses: snyk/actions/node@master
 env:
 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 with:
 args: --severity-threshold=high
 
 - name: Upload result to GitHub Security tab
 uses: github/codeql-action/upload-sarif@v1
 if: always()
 with:
 sarif_file: snyk.sarif

GitLab CI集成#

# .gitlab-ci.yml
stages:
 - security

snyk-scan:
 stage: security
 image: node:latest
 
 before_script:
 - npm install -g snyk
 - snyk auth $SNYK_TOKEN
 
 script:
 - snyk test --severity-threshold=high
 
 allow_failure: true
 
 artifacts:
 paths:
 - snyk.sarif
 expire_in: 1 week

Jenkins集成#

// Jenkinsfile
pipeline {
 agent any
 
 environment {
 SNYK_TOKEN = credentials('snyk-token')
 }
 
 stages {
 stage('Snyk Scan') {
 steps {
 script {
 // 安装Snyk CLI
 sh 'npm install -g snyk'
 
 // 认证
 sh 'snyk auth $SNYK_TOKEN'
 
 // 运行扫描
 sh 'snyk test --severity-threshold=high'
 }
 }
 }
 }
 
 post {
 always {
 // 归档报告
 archiveArtifacts artifacts: 'snyk.sarif', fingerprint: true
 }
 }
}

容器安全#

扫描Docker镜像#

# 扫描本地Docker镜像
snyk container test myimage:latest

# 扫描远程Docker镜像
snyk container test nginx:latest

# 扫描并设置严重性阈值
snyk container test myimage:latest --severity-threshold=high

# 扫描并生成JSON报告
snyk container test myimage:latest --json > container-report.json

监控Docker镜像#

# 监控Docker镜像
snyk container monitor myimage:latest

# 监控并设置标签
snyk container monitor myimage:latest --tags=production,web

# 监控并设置项目名称
snyk container monitor myimage:latest --project-name=my-container

扫描Kubernetes清单#

# 扫描Kubernetes YAML文件
snyk iac test k8s/deployment.yaml

# 扫描Kubernetes目录
snyk iac test k8s/

# 扫描Helm图表
snyk iac test helm-chart/

# 扫描Terraform配置
snyk iac test main.tf

许可证合规性#

检查许可证#

# 检查许可证合规性
snyk test --license-policy

# 检查特定许可证类型
snyk test --license-policy=GPL

# 查看许可证报告
snyk test --json | jq '.licenses[]'

配置许可证策略#

# 创建许可证策略文件
cat > .snyk-licenses << EOF
# 许可证策略配置

allow:
 - MIT
 - Apache-2.0
 - BSD-3-Clause

deny:
 - GPL-3.0
 - AGPL-3.0
 - MPL-2.0

exceptions:
 - package: some-gpl-package
 license: GPL-3.0
 reason: 临时使用，计划替换
EOF

# 使用许可证策略
snyk test --policy-path=.snyk-licenses

高级使用#

自动化脚本#

批量扫描多个项目#

#!/bin/bash
# 批量扫描多个项目脚本

PROJECTS_DIR="/path/to/projects"
LOG_FILE="snyk-batch-scan.log"

# 记录日志
log() {
 echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}

# 扫描函数
scan_project() {
 local project_path=$1
 local project_name=$(basename "$project_path")
 
 log "开始扫描项目: $project_name"
 
 cd "$project_path"
 
 # 运行扫描
 snyk test --severity-threshold=high --json > "../snyk-reports/${project_name}.json" 2>&1
 
 if [ $? -eq 0 ]; then
 log "项目 $project_name 扫描成功"
 else
 log "项目 $project_name 扫描失败"
 fi
 
 cd - > /dev/null
}

# 创建报告目录
mkdir -p snyk-reports

# 扫描所有项目
for project in "$PROJECTS_DIR"/*/; do
 scan_project "$project"
done

log "批量扫描完成"

定期扫描脚本#

#!/bin/bash
# 定期扫描脚本

PROJECT_DIR="/path/to/project"
REPORTS_DIR="./snyk-reports"
LOG_FILE="snyk-scheduled-scan.log"

# 记录日志
log() {
 echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}

# 创建报告目录
mkdir -p "$REPORTS_DIR"

# 更新Snyk数据库
log "更新Snyk数据库"
snyk monitor

# 运行扫描
log "开始扫描项目"
snyk test --severity-threshold=high --json > "$REPORTS_DIR/scan-$(date +%Y%m%d-%H%M%S).json"

# 分析结果
if [ $? -eq 0 ]; then
 log "扫描成功完成"
 
 # 检查是否有高危漏洞
 HIGH_COUNT=$(jq '[.vulnerabilities[] | select(.severity == "high")] | length' "$REPORTS_DIR"/scan-*.json | tail -1)
 
 if [ "$HIGH_COUNT" -gt 0 ]; then
 log "发现 $HIGH_COUNT 个高危漏洞"
 # 发送通知
 # send_notification "发现高危漏洞"
 fi
else
 log "扫描失败"
fi

log "扫描流程结束"

高级分析#

漏洞趋势分析#

#!/usr/bin/env python3
import json
import os
from datetime import datetime
import matplotlib.pyplot as plt

def analyze_vulnerability_trend(reports_dir):
 """分析漏洞趋势"""
 
 trend_data = []
 
 # 读取所有报告
 for filename in sorted(os.listdir(reports_dir)):
 if filename.endswith('.json'):
 filepath = os.path.join(reports_dir, filename)
 
 with open(filepath) as f:
 data = json.load(f)
 
 # 提取时间戳
 timestamp = datetime.strptime(filename, 'scan-%Y%m%d-%H%M%S.json')
 
 # 统计漏洞
 vulns = data.get('vulnerabilities', [])
 
 trend_data.append({
 'timestamp': timestamp,
 'total': len(vulns),
 'high': len([v for v in vulns if v['severity'] == 'high']),
 'medium': len([v for v in vulns if v['severity'] == 'medium']),
 'low': len([v for v in vulns if v['severity'] == 'low'])
 })
 
 return trend_data

def plot_trend(trend_data):
 """绘制趋势图"""
 
 timestamps = [d['timestamp'] for d in trend_data]
 high = [d['high'] for d in trend_data]
 medium = [d['medium'] for d in trend_data]
 low = [d['low'] for d in trend_data]
 
 plt.figure(figsize=(12, 6))
 plt.plot(timestamps, high, label='High', color='red')
 plt.plot(timestamps, medium, label='Medium', color='orange')
 plt.plot(timestamps, low, label='Low', color='green')
 
 plt.xlabel('Time')
 plt.ylabel('Vulnerability Count')
 plt.title('Vulnerability Trend')
 plt.legend()
 plt.xticks(rotation=45)
 plt.tight_layout()
 
 plt.savefig('vulnerability-trend.png', dpi=300)
 plt.close()

# 使用示例
trend_data = analyze_vulnerability_trend('./snyk-reports')
plot_trend(trend_data)

依赖关系分析#

#!/usr/bin/env python3
import json
import networkx as nx
import matplotlib.pyplot as plt

def build_dependency_graph(snyk_report):
 """构建依赖关系图"""
 
 G = nx.DiGraph()
 
 # 添加根节点
 root_package = snyk_report.get('packageManager', 'unknown')
 G.add_node(root_package)
 
 # 添加依赖项
 for dep in snyk_report.get('dependencies', []):
 dep_name = dep.get('name', 'unknown')
 G.add_node(dep_name)
 G.add_edge(root_package, dep_name)
 
 # 添加子依赖
 for subdep in dep.get('dependencies', []):
 subdep_name = subdep.get('name', 'unknown')
 G.add_node(subdep_name)
 G.add_edge(dep_name, subdep_name)
 
 return G

def visualize_graph(G, output_file='dependency-graph.png'):
 """可视化依赖关系图"""
 
 plt.figure(figsize=(12, 8))
 pos = nx.spring_layout(G)
 
 nx.draw(G, pos, with_labels=True, node_size=3000,
 node_color='lightblue', font_size=8)
 
 plt.savefig(output_file, dpi=300, bbox_inches='tight')
 plt.close()

# 使用示例
with open('snyk-report.json') as f:
 report = json.load(f)

G = build_dependency_graph(report)
visualize_graph(G, 'dependency-graph.png')

大师级使用#

企业级部署#

集中式管理#

#!/bin/bash
# 企业级Snyk管理脚本

ORGANIZATION="your-org-name"
PROJECTS_DIR="/path/to/projects"
CENTRAL_DB="/path/to/central-db"
LOG_FILE="/var/log/snyk-management.log"

# 记录日志
log() {
 echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}

# 扫描并上传到中央数据库
scan_and_upload() {
 local project_path=$1
 local project_name=$(basename "$project_path")
 
 log "扫描项目: $project_name"
 
 cd "$project_path"
 
 # 运行扫描
 snyk test --org="$ORGANIZATION" --json > "$CENTRAL_DB/${project_name}.json"
 
 # 监控项目
 snyk monitor --org="$ORGANIZATION" --project-name="$project_name"
 
 cd - > /dev/null
 
 log "项目 $project_name 扫描并监控完成"
}

# 扫描所有项目
for project in "$PROJECTS_DIR"/*/; do
 scan_and_upload "$project"
done

log "所有项目扫描完成"

自动化修复流程#

#!/usr/bin/env python3
import subprocess
import json
import sys

def run_snyk_test():
 """运行Snyk测试"""
 result = subprocess.run(
 ['snyk', 'test', '--json'],
 capture_output=True,
 text=True
 )
 
 if result.returncode != 0:
 print(f"Snyk测试失败: {result.stderr}")
 return None
 
 return json.loads(result.stdout)

def fix_vulnerabilities(report):
 """修复漏洞"""
 
 vulnerabilities = report.get('vulnerabilities', [])
 fixable = [v for v in vulnerabilities if v.get('fixVersion')]
 
 print(f"发现 {len(vulnerabilities)} 个漏洞")
 print(f"可修复: {len(fixable)} 个")
 
 if not fixable:
 print("没有可修复的漏洞")
 return
 
 # 运行修复
 print("开始修复漏洞...")
 result = subprocess.run(
 ['snyk', 'fix'],
 capture_output=True,
 text=True
 )
 
 if result.returncode == 0:
 print("漏洞修复成功")
 print(result.stdout)
 else:
 print(f"漏洞修复失败: {result.stderr}")

# 主流程
report = run_snyk_test()
if report:
 fix_vulnerabilities(report)

高级集成#

与Jira集成#

#!/usr/bin/env python3
import json
from jira import JIRA

def create_jira_issue(vulnerability, project_key):
 """创建Jira问题"""
 
 jira = JIRA(server='https://your-jira-instance.com',
 basic_auth=('username', 'password'))
 
 issue_dict = {
 'project': {'key': project_key},
 'summary': f"Security Vulnerability: {vulnerability['title']}",
 'description': f"""
 Vulnerability ID: {vulnerability['id']}
 Severity: {vulnerability['severity']}
 CVSS Score: {vulnerability.get('cvssScore', 'N/A')}
 
 Description:
 {vulnerability.get('description', 'N/A')}
 
 Fix Version:
 {vulnerability.get('fixVersion', 'N/A')}
 
 References:
 {', '.join(vulnerability.get('references', []))}
 """,
 'issuetype': {'name': 'Bug'},
 'priority': {'name': 'High'}
 }
 
 new_issue = jira.create_issue(fields=issue_dict)
 return new_issue.key

def create_jira_issues(snyk_report, project_key):
 """为所有漏洞创建Jira问题"""
 
 vulnerabilities = snyk_report.get('vulnerabilities', [])
 
 for vuln in vulnerabilities:
 if vuln['severity'] in ['high', 'critical']:
 issue_key = create_jira_issue(vuln, project_key)
 print(f"Created Jira issue: {issue_key}")

# 使用示例
with open('snyk-report.json') as f:
 report = json.load(f)

create_jira_issues(report, 'SEC')

与Slack集成#

#!/usr/bin/env python3
import json
import requests
from datetime import datetime

def send_slack_notification(webhook_url, message):
 """发送Slack通知"""
 
 payload = {
 'text': message,
 'username': 'Snyk Bot',
 'icon_emoji': ':shield:'
 }
 
 response = requests.post(webhook_url, json=payload)
 return response.status_code == 200

def create_slack_message(snyk_report):
 """创建Slack消息"""
 
 vulnerabilities = snyk_report.get('vulnerabilities', [])
 
 high_count = len([v for v in vulnerabilities if v['severity'] == 'high'])
 medium_count = len([v for v in vulnerabilities if v['severity'] == 'medium'])
 
 message = f"""
 🛡️ *Snyk Security Scan Report*
 
 *Scan Time:* {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
 
 *Vulnerability Summary:*
 • High: {high_count}
 • Medium: {medium_count}
 • Low: {len(vulnerabilities) - high_count - medium_count}
 
 *Total Vulnerabilities:* {len(vulnerabilities)}
 
 <https://app.snyk.io/org/your-org/project/your-project|View in Snyk>
 """
 
 return message

# 使用示例
with open('snyk-report.json') as f:
 report = json.load(f)

message = create_slack_message(report)
webhook_url = 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL'

send_slack_notification(webhook_url, message)

实战案例#

案例1: 企业级依赖项安全监控#

场景描述#

建立企业级的依赖项安全监控系统，统一管理所有项目的依赖项安全。

供应链安全评估技术详解

Mon, 01 Jan 0001 00:00:00 +0000

供应链安全评估技术详解#

技术介绍#

供应链安全评估是网络安全中信息收集的重要环节，通过自动化工具和技术手段，发现和分析目标组织的供应链依赖、第三方组件和潜在安全风险，为后续的安全测试和漏洞利用提供基础。供应链安全评估技术广泛应用于渗透测试、安全审计和漏洞评估等场景。

供应链安全评估核心概念#

供应链发现：通过各种手段发现目标组织的供应链依赖
第三方组件分析：分析目标组织使用的第三方组件
供应商安全评估：评估目标组织供应商的安全状况
供应链漏洞扫描：扫描供应链中的安全漏洞
供应链风险评估：评估供应链的整体安全风险

供应链安全评估架构#

信息收集：通过公开信息、API、文档等方式收集供应链相关信息
供应链发现：使用专用工具和技术发现供应链依赖
第三方组件分析：分析第三方组件的版本、漏洞和安全状况
供应商安全评估：评估供应商的安全状况和合规性
供应链漏洞扫描：扫描供应链中的安全漏洞
供应链风险评估：评估供应链的整体安全风险
报告生成：生成详细的供应链安全评估报告

入门级使用#

供应链发现#

使用基本工具发现供应链依赖：

# 使用搜索引擎发现供应链依赖
curl -s "https://api.google.com/customsearch/v1?key=API_KEY&cx=CX&q=site:example.com+dependencies|vendors|suppliers"

# 分析网站源码发现第三方组件
curl -s https://example.com | grep -E 'script|link' | grep -E 'src|href' | grep -v example.com

# 分析移动应用发现供应链依赖
# Android应用
apktool d app.apk
find app -name "*.xml" -o -name "*.gradle" | xargs grep -l "implementation"

# iOS应用
otool -L App.ipa

# 分析开源项目发现供应链依赖
# npm项目
npm list --depth=0

# Maven项目
mvn dependency:tree

# Gradle项目
gradle dependencies

# Python项目
pip list

# Ruby项目
bundle list

第三方组件分析#

分析第三方组件：