依赖观察扫描仪:软件包和依赖关系的扫描仪
dependency-observatory-scanner的Python项目详细描述
找到包裹鲁加鲁
find-package-rugaru
在git中查找依赖于开源的包
存储库和测试并标记可疑的开源软件包(如
the legendary rugaru)。在
NB:此项目处于alpha状态,其api不稳定
扫描仪
安装
要求
- docker>;=18.06.3
- python3.8+和pip
- jq
- 构建psycopg2的系统包(例如debian buster上的
build-essential libpq-dev
)
build-essential libpq-dev
)安装上述要求后:
$ git clone https://github.com/mozilla-services/find-package-rugaru.git $cd find-package-rugaru $ make install install-dev $ docker pull mozilla/dependencyscan $ docker pull postgres:12
示例用法
- 启动本地postgres数据库:
- 运行一个或多个脚本:
./bin/analyze_package.sh <package_name> [<package_version>]
./bin/analyze_repo.sh <repository_url>
$ ./bin/analyze_package.sh lodash 4.17.15 analyzing lodash@4.17.15 saving intermediate results to /tmp/dep-obs.g7mNNBaLyVjR...2020-02-27 17:31:31,900 - fpr - INFO - pipeline finishednull2020-02-27 17:31:32,403 - fpr - INFO - pipeline finished$
或者,如果您有更多时间扫描lodash回购的所有git标记:
./bin/analyze_repo.sh https://github.com/lodash/lodash.gitanalyzing tags of https://github.com/lodash/lodash.git saving intermediate results to /tmp/dep-obs.5pvSrfbn6Nox...
检查脚本的源代码以查找其他配置 通过环境变量。在
- 检查本地数据库中的结果:
make db-shellPGPASSWORD=postgres psql -U postgres -h localhost -p 5432 dependency_observatorypsql (12.2 (Ubuntu 12.2-2.pgdg18.04+1), server 12.1 (Debian 12.1-1.pgdg100+1))Type "help" for help.dependency_observatory=# \x onExpanded display is on.dependency_observatory=# SELECT * FROM package_versions WHERE name = 'lodash' ORDER BY inserted_at DESC;-[ RECORD 1 ]-------------------------------------------------------id | 102name | lodashversion | 4.17.15language | nodeurl | https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgzrepo_url |repo_commit |inserted_at | 2020-02-26 17:12:47.373348updated_at |
管道
脚本由称为管道的组件组成(由于缺少
更好的术语)。例如,analyze_package.sh
将:
- 从npm注册表获取有关包的信息
- 筛选要克隆的git引用以及匹配的版本(如果指定)
- 为
debian:buster-slim
docker映像中的每个ref查找依赖项清单或锁文件(例如package.json
) - 在项目根目录中为
node:10-buster-slim
docker映像中的每个ref运行npm install --save=true
、npm list --json
和{} - 后处理并将结果保存到本地postgres数据库
每个单独的管道都可以独立运行。例如
在analyze_repo.sh
中使用的find_git_refs
管道将找到
mozilla-services/channelserver
项目的git标记:
$echo'{"repo_url": "https://github.com/mozilla-services/channelserver"}'| docker run -i --rm -v /var/run/docker.sock:/var/run/docker.sock --name fpr-test mozilla/dependencyscan python fpr/run_pipeline.py -v find_git_refs
电流管道(来自-h输出)
crate_graph Parses the output of the cargo metadata pipeline and writes a .dot file of the dependencies to outfile dep_graph Parses the output of the cargo metadata pipeline and writes a .dot file of the dependencies to outfile fetch_package_data Fetches additional data about a dependency. find_dep_files Given a repo_url, clones the repo, lists git refs for each tag find_git_refs Given a repo_url, clones the repo, lists git refs for each tag TODO: every Nth commit, or commit every time interval. TODO: since and until args TODO: find branches github_metadata Given an input file with repo urls metadata output fetches dependency and vulnerability metadata from GitHub and an optional GitHub PAT and outputs them to jsonl and optionally saves them to a local SQLite3 DB. postprocess Post processes tasks for various outputs e.g. flattening deps, filtering and extracting fields, etc. Does not spin up containers or hit the network. run_repo_tasks Runs tasks on a checked out git ref with dep. files rust_changelog Given ordered cargo metadata output for git refs from the same repo: 1. builds a dict of manifest filename to cargo meta 2. groups the output into pairs (i.e. 1, 2, 3 -> (1, 2), (2, 3) in the provided order 3. compares each pair as follows: a. compare each manifest filename: 1) count new and removed dependencies 2) new and removed authors and repo urls TODO: output a diff of the updated dep code (need to update the cargo metadata pipeline to pull these) TODO: take audit output to show new and fixed Rust vulns TODO: detect dep version changes save_to_db Saves JSON lines to a postgres DB
请参见bin/analyze_*
脚本和Makefile
的示例用法。在
它们相互馈送如下(*
表示不推荐使用、已删除或以其他方式损坏的管道):
管道API
请注意,此接口可能会发生更改
每条管道:
- 在 在
- 在
使用分别默认为stdin和stdout的参数
在-i,--infile
和{}来允许管道化 - 在
作为python异步生成器运行
在
请参见the design doc了解选择此接口的原因。在
添加管道
- 从
fpr/pipelines/
复制现有文件 - 在它的
Pipeline
模型声明中给它一个新名称 - 将其添加到
fpr/pipelines/__init__.py
- 项目
标签: