RohitKumarReddySakam/supply-chain-scanner

GitHub: RohitKumarReddySakam/supply-chain-scanner

一款面向多生态的供应链安全扫描器，集成漏洞检测、伪装包识别、许可证合规与 SBOM 生成能力，帮助团队在依赖项进入生产前拦截安全风险。

Stars: 0 | Forks: 0

# 🔗 供应链安全扫描器

[![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/) [![Flask](https://img.shields.io/badge/flask-3.0-green.svg)](https://flask.palletsprojects.com/) [![OSV.dev](https://img.shields.io/badge/CVE_DB-OSV.dev-orange)](https://osv.dev/) [![CycloneDX](https://img.shields.io/badge/SBOM-CycloneDX_1.5-purple)](https://cyclonedx.org/) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) **在漏洞、恶意及许可证不合规的依赖项进入生产环境之前将其检测出来** [在线演示](#quick-start) · [API 文档](#api-reference) · [CI/CD 集成](#cicd-integration)

## 🎯 问题描述供应链攻击是软件安全领域**增长最快的威胁载体**： - **SolarWinds** (2020)：超过 18,000 个组织通过被污染的更新受到攻击 - **Log4Shell / Log4j** (2021)：CVSS 10.0，影响超过 30 亿个 Java 安装 - **XZ Utils** (2024)：Linux 压缩库中险些植入的后门 - **82% 的代码库**至少包含一个易受攻击的开源依赖项本扫描器通过依赖项漏洞扫描、typosquatting 检测、SBOM 生成和许可证合规性强制执行，针对供应链攻击提供**自动化、多层防御**。 ## 📊 功能概览 | 功能 | 详情 | |---------|---------| | **生态系统** | Python (pip), Node.js (npm), Java (Maven/Gradle), Go, Rust, Ruby | | **漏洞数据库** | OSV.dev API (免费) + 11 个预加载的关键 CVE | | **检测的 CVE** | Log4Shell, PyYAML RCE, Django DoS, Flask session, urllib3, Paramiko Terrapin 等 | | **Typosquatting** | 针对 50+ 个流行包的 Levenshtein 距离分析 | | **许可证合规** | 50+ 种 SPDX 许可证类型，标记 GPL/AGPL/SSPL | | **SBOM 输出** | 带有 PURL 标识符的 CycloneDX 1.5 | | **风险评分** | 综合得分 (0–100) → 字母等级 (A–F) | | **CI/CD** | 包含自扫描 GitHub Actions workflow | ## 🏗️ 架构 ``` Dependency File (requirements.txt / package.json / pom.xml / go.mod) │ ▼ ┌───────────────────────┐ │ Dependency Extractor │ │ Multi-ecosystem parser│ └──────────┬────────────┘ │ ┌───────────────┼───────────────┬──────────────┐ ▼ ▼ ▼ ▼ ┌────────────┐ ┌────────────┐ ┌──────────┐ ┌────────────┐ │Vulnerability│ │Typosquatting│ │ License │ │ SBOM │ │ Checker │ │ Detector │ │ Checker │ │ Generator │ │OSV.dev API │ │Levenshtein │ │ 50+ SPDX │ │CycloneDX │ │+ Local DB │ │+ Known-bad │ │ policies │ │ 1.5 │ └─────┬──────┘ └─────┬──────┘ └────┬─────┘ └─────┬──────┘ │ │ │ │ └───────────────┴──────────────┴───────────────┘ │ ┌───────────▼──────────┐ │ Risk Scoring │ │ Composite 0–100 │ │ Letter Grade A–F │ └───────────┬──────────┘ │ ┌───────────▼──────────┐ │ Web Dashboard + │ │ REST API + │ │ SBOM Download │ └──────────────────────┘ ``` ## ⚡ 快速开始 ``` # 克隆与设置 git clone https://github.com/srkrcyber/supply-chain-scanner.git cd supply-chain-scanner chmod +x setup.sh && ./setup.sh # 或手动设置 python3 -m venv venv && source venv/bin/activate pip install -r requirements.txt python app.py # → http://localhost:5001 ``` ### 立即尝试 1. 打开 **http://localhost:5001** 2. 点击 **⚡ Run Demo Scan** — 立即扫描 14 个易受攻击的软件包 3. 查看 **CVE、CVSS 分数、修复版本、风险等级、SBOM** ## 🔍 检测到的真实 CVE | CVE | 软件包 | CVSS | 影响 | |-----|---------|------|--------| | CVE-2021-44228 | log4j 2.14.1 | **10.0** | Log4Shell — 远程代码执行 (RCE) | | CVE-2022-1471 | PyYAML 5.3.1 | **9.8** | SnakeYAML 通过反序列化实现 RCE | | CVE-2023-49083 | cryptography 3.4.6 | 7.5 | NULL 指针解引用 | | CVE-2023-44271 | Pillow 9.0.0 | 7.5 | 通过 ImageFont 实现 DoS | | CVE-2023-43665 | Django 3.2.0 | 7.5 | 通过 Truncator 实现 DoS | | CVE-2023-30861 | Flask 2.0.0 | 7.5 | Session cookie 泄露 | | CVE-2022-40897 | setuptools 57.0.0 | 7.5 | ReDoS 攻击 | | CVE-2023-48795 | paramiko 2.8.0 | 5.9 | Terrapin 攻击 (SSH) | | CVE-2023-32681 | requests 2.25.0 | 6.1 | 通过代理头部实现 SSRF | | CVE-2023-45803 | urllib3 1.26.4 | 4.2 | HTTP 重定向 body 泄露 | ## 🔌 API 参考 ``` # 上传文件进行扫描 POST /api/scan Content-Type: multipart/form-data file: # 扫描粘贴内容 POST /api/scan/text {"content": "requests==2.25.0\n...", "filename": "requirements.txt"} # 获取扫描状态/结果 GET /api/scan/ # 下载 SBOM (CycloneDX JSON) GET /api/sbom/ # 运行演示扫描 POST /api/demo # 全局统计 GET /api/stats ``` ## 🔄 CI/CD 集成 ``` # .github/workflows/supply-chain-check.yml name: Supply Chain Security Check on: [push, pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: '3.11' - name: Install scanner run: | git clone https://github.com/srkrcyber/supply-chain-scanner.git scanner pip install -r scanner/requirements.txt - name: Scan dependencies run: | cd scanner python -c " from core.dependency_extractor import DependencyExtractor from core.vulnerability_checker import VulnerabilityChecker ext = DependencyExtractor() chk = VulnerabilityChecker() with open('../requirements.txt') as f: content = f.read() deps, eco = ext.extract('requirements.txt', content) vulns = chk.check_all(deps) critical = [v for v in vulns if v.get('severity') == 'CRITICAL'] if critical: print('BUILD FAILED: Critical vulnerabilities found') exit(1) print(f'PASSED: {len(deps)} deps scanned, {len(vulns)} vulns found') " ``` ## 📁 项目结构 ``` supply-chain-scanner/ ├── app.py # Flask application & REST API ├── config.py # Configuration ├── requirements.txt # Dependencies ├── Dockerfile # Container │ ├── core/ │ ├── dependency_extractor.py # Multi-ecosystem parser │ ├── vulnerability_checker.py # OSV.dev + local CVE DB │ ├── sbom_generator.py # CycloneDX 1.5 SBOM │ ├── typosquat_detector.py # Levenshtein typo detection │ ├── license_checker.py # SPDX license compliance │ └── risk_scorer.py # Composite risk scoring │ ├── templates/ # Jinja2 web UI ├── static/ # CSS, JavaScript ├── tests/ # 18 pytest tests ├── examples/ # Sample vulnerable files └── .github/workflows/ # CI/CD with self-scanning ``` ## 👨‍💻 作者 **Rohit Kumar Reddy Sakam** — DevSecOps 工程师 & 渗透测试员 [![LinkedIn](https://img.shields.io/badge/LinkedIn-Connect-blue)](https://linkedin.com/in/rohitkumarreddysakam) [![GitHub](https://img.shields.io/badge/GitHub-srkrcyber-black)](https://github.com/srkrcyber) [![作品集](https://img.shields.io/badge/Portfolio-srkrcyber.com-green)](https://srkrcyber.com) ## 📄 许可证 MIT 许可证 — 详情见 [LICENSE](LICENSE)。

标签：Claude, CVE检测, CycloneDX, DevSecOps, GNU通用公共许可证, Go, Node.js, OSV, Python, Ruby工具, SBOM生成, typosquatting, Vercel, 上游代理, 云安全监控, 依赖安全, 文档安全, 无后门, 许可证合规, 请求拦截, 跌倒检测, 软件开发工具包, 软件物料清单, 逆向工具, 静态分析, 风险评分