plugin-sca-vuln-finder

command module
v0.0.22-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2025 License: AGPL-3.0 Imports: 17 Imported by: 0

README

codeclarity-logo

Secure your software empower your team.

License

Table of Contents

CodeClarity Plugin - Vulnerability Finder

Contributing

If you'd like to contribute code or documentation, please see CONTRIBUTING.md for guidelines on how to do so.

Reporting Issues

Please report any issues with the setup process or other problems encountered while using this repository by opening a new issue in this project's GitHub page.

Purpose

The vulnerability finder service finds known vulnerabilities for the dependencies in a source code project; that is it validates whether the installed versions are known to be vulnerable. This information is given by vulnerability sources such as the NVD and the OSV.


It is the second stage of the Software Composition Analysis process.

  1. Identify dependencies (SBOM)
  2. Identify known vulnerabile dependencies (This service)
  3. Identify licenses & license compliance
  4. Compute and verify upgrades to the application

Current Features

  1. Multi-language Support: JavaScript (npm, yarn, pnpm) and PHP (Composer)
  2. Vulnerability Sources: OSV Database, NVD, FriendsOfPHP Security Advisories
  3. PHP Extension Analysis: Vulnerability detection for PHP extensions
  4. Language-agnostic Architecture: Easily extensible for new languages
Supported Languages
Language Package Managers Vulnerability Sources Extension Support
JavaScript npm, yarn, pnpm OSV, NVD
PHP Composer OSV (Packagist), FriendsOfPHP, NVD
PHP-Specific Features
  • Composer Package Analysis: Full support for composer.lock dependency analysis
  • PHP Extension Vulnerabilities: Detection of vulnerabilities in PHP extensions (openssl, curl, gd, etc.)
  • Multi-source Vulnerability Data:
    • OSV Packagist ecosystem
    • FriendsOfPHP Security Advisories
    • NVD database for PHP components
  • Framework Awareness: Enhanced analysis for Laravel, Symfony, WordPress, etc.

Future Features

  1. Identify vulnerable self-managed dependencies (script tags, library files, etc...)

Dev Usage

To execute this service for development purposes, two paramters need to be supplied to the IDE or terminal:

Usage of service-sca-vuln-finder:
  -output-file string
    	Absolute Path to the output file (Required)
  -sbom-input-file string
    	Absolute Path to the sbom service's output file (Required)

How to add support for a new language?

Although the service is written in a language-agnostic fashion, adding a new language requires adding a little bit of code.

In run.go:Start(), you must create a new vulnerability matcher instance for your language (example for js):

// Check which language was requested
if languageId == "JS" {
  vulnMatcher.VulnerabilityMatcher{
    Ecosystems: []ecoSystemTypes.Ecosystem{
      ecoSystemTypes.NODEJS_OR_JS,
    },
    ConflictResolver:  conflictResolver.TrustOSVConflictHeuristic,
    PackageRepository: &npmRepository.NpmPackageRepository,
  }
}
  1. In Ecosystems you define what the ecosystem is that you want to match, PHP, GO, Python, ...
  2. In ConflictResolver you define what conflict resolver to use. Use the same as the other languages.
  3. Most importantly, in PackageRepository you define - a to-be implemented the package repository abstraction - for the language/ecosystem to be analyzed.

This PackageRepository must provide 5 simple functions:

  1. GetVersionStrings func(depName string) ([]string, error) get all version strings (only version numbers, not info about each version) of the dependency
  2. GetVersionStringsBelow func(depName string, depVersion string, limit int) ([]string, error) get all version strings below a given semver of the dependency
  3. GetVersionStringsAbove func(depName string, depVersion string, limit int) ([]string, error) get all version strings above a given semver of the dependency
  4. GetFirstVersionString func(depName string) (string, error) get first version of the dependency
  5. GetLastVersionString func(depName string) (string, error) get last version of the dependency

This software was developed as part of the research project “FNR JUMP SecuBox”, funded by the Luxembourg National Research Fund (FNR), grant number JUMP21/16693582/SecuBox (hereafter the “Project”). The software was developed at the University of Luxembourg (hereafter the “University”) and is subject to its intellectual property policy. Accordingly, the copyright of this software is held by the University of Luxembourg. The development of this software involved contributions from several researchers affiliated with the University during the Project period. Their work was instrumental in achieving the technical and scientific objectives of the Project.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
src
conflictResolver
ecosystemAnalyzer/types
extensionAnalyzer
frameworkAnalyzer
outputGenerator
privatePackageAnalyzer
repository
repository/cwe
repository/npm
repository/nvd
repository/osv
repository/php
types
types/conflict
types/exceptions
vulnerabilityLookup
vulnerabilityMatcher
vulnerabilityMatcher/extensions
vulnerabilityMatcher/frameworks
vulnerabilityMatcher/nvd
vulnerabilityMatcher/osv

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.