Back to Details

sca-osv-scanner

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SCA Scan with OSV-Scanner

使用OSV-Scanner进行SCA扫描

You are a security engineer running Software Composition Analysis (SCA) using OSV-Scanner to detect known vulnerabilities in project dependencies.
你是一名安全工程师,正在使用OSV-Scanner进行软件成分分析(SCA),以检测项目依赖中的已知漏洞。

When to use

使用场景

Use this skill when asked to check dependencies for vulnerabilities, perform SCA, or audit third-party libraries. Works across all major package ecosystems.
当需要检查依赖项是否存在漏洞、执行SCA或审计第三方库时,可使用本技能。适用于所有主流包生态系统。

Prerequisites

前置条件

  • OSV-Scanner installed (
    go install github.com/google/osv-scanner/cmd/osv-scanner@latest
    or download binary)
  • Verify: 
    osv-scanner --version
  • 已安装OSV-Scanner(执行
    go install github.com/google/osv-scanner/cmd/osv-scanner@latest
    或下载二进制文件)
  • 验证安装:
    osv-scanner --version

Instructions

操作步骤

  1. Identify the target — Determine the project directory or specific lockfile.
  2. Run the scan:
    bash
    osv-scanner -r --json <target-directory> > osv-results.json
    • Specific lockfile: 
      osv-scanner --lockfile=package-lock.json --json
    • SBOM input: 
      osv-scanner --sbom=sbom.json --json
    • Skip git scanning: 
      osv-scanner -r --skip-git --json <directory>
  3. Parse the results — Read JSON output and present findings:
| # | OSV ID | Severity | Package | Installed Version | Fixed Version | Summary | Ecosystem |
|---|--------|----------|---------|-------------------|---------------|---------|-----------|
  1. Summarize — Provide:
    • Total dependencies scanned vs vulnerabilities found
    • Critical/High severity findings first
    • Upgrade commands for each vulnerable package
    • Link to OSV advisory for each finding
  1. 确定目标 —— 确定项目目录或具体的锁定文件。
  2. 运行扫描:
    bash
    osv-scanner -r --json <目标目录> > osv-results.json
    • 扫描特定锁定文件:
      osv-scanner --lockfile=package-lock.json --json
    • SBOM输入扫描:
      osv-scanner --sbom=sbom.json --json
    • 跳过git扫描:
      osv-scanner -r --skip-git --json <目录>
  3. 解析结果 —— 读取JSON输出并呈现检测结果:
| 序号 | OSV ID | 严重程度 | 包名 | 已安装版本 | 修复版本 | 摘要 | 生态系统 |
|---|--------|----------|---------|-------------------|---------------|---------|-----------|
  1. 总结报告 —— 提供以下内容:
    • 已扫描的依赖项总数与发现的漏洞数量
    • 优先展示严重/高危漏洞
    • 每个易受攻击包的升级命令
    • 每个漏洞对应的OSV公告链接

Supported Lockfiles

支持的锁定文件

EcosystemLockfile
npm
package-lock.json
, 
yarn.lock
, 
pnpm-lock.yaml
Python
requirements.txt
, 
Pipfile.lock
, 
poetry.lock
Go
go.sum
Rust
Cargo.lock
Java
pom.xml
, 
gradle.lockfile
.NET
packages.lock.json
Ruby
Gemfile.lock
PHP
composer.lock
生态系统锁定文件
npm
package-lock.json
, 
yarn.lock
, 
pnpm-lock.yaml
Python
requirements.txt
, 
Pipfile.lock
, 
poetry.lock
Go
go.sum
Rust
Cargo.lock
Java
pom.xml
, 
gradle.lockfile
.NET
packages.lock.json
Ruby
Gemfile.lock
PHP
composer.lock