依赖项扫描
Gitea 企业版不断发展,以满足安全环境下软件开发日益增长的需求。Gitea 企业版的一项关键功能是依赖项扫描。此功能旨在通过识别项目依赖项中的漏洞来确保代码的安全。
什么是依赖项扫描?
在软件开发领域,通常使用第三方包或库(称为依赖项)来避免重复造轮子。这些依赖项虽然有用,但有时可能包含安全漏洞,如果未经检查,可能会损害您的应用程序。
这就是依赖项扫描发挥作用的地方。Gitea 企业版的依赖项扫描功能能够扫描代码的依赖项,并识别具有已知安全漏洞的依赖项。
依赖项扫描是如何工作的?
Gitea 企业版的依赖项扫描旨在高效易用。
Gitea 企业版将自动扫描项目的依赖项是否存在任何已知漏洞。如果检测到漏洞,Gitea 企业版将提交一份报告,为您提供有关该问题的详细信息,包括其严重程度、漏洞说明以及任何已知的修复方法。
这种主动方法允许您在安全风险成为问题之前解决潜在的安全风险,从而显著增强软件项目的安全性与完整性。
支持的语言
Gitea 企业版的依赖项扫描支持主要的编程语言,使其用途广泛,适用于各种项目。
| 语言 | 锁定文件 |
|---|---|
| C/C++ | conan.lock |
| Dart | pubspec.lock |
| Elixir | mix.lock |
| Go | go.mod |
| Java | buildscript-gradle.lockfilegradle.lockfilepom.xml |
| Javascript | package-lock.jsonpnpm-lock.yamlyarn.lock |
| PHP | composer.lock |
| Python | Pipfile.lockpoetry.lock |
试一试
您想试一试,但您的代码非常安全,没有任何漏洞?
不用担心,我们为您准备了一个演示。您可以将此 go.mod 文件保存到存储库的根目录,并将其推送到您的 Gitea 企业版实例。
go.mod
module test
go 1.21
require (
code.sajari.com/docconv v1.0.0
filippo.io/nistec v0.0.1
github.com/AndrewBurian/powermux v1.0.0
github.com/Masterminds/goutils v1.0.1
github.com/Masterminds/vcs v1.10.0
github.com/antchfx/xmlquery v1.0.0
github.com/apache/thrift v0.12.0
github.com/argoproj/argo-cd/v2 v2.0.0
github.com/argoproj/argo-events v0.13.0
github.com/artdarek/go-unzip v1.0.0
github.com/astaxie/beego v0.6.0
github.com/aws/aws-sdk-go v0.10.0
github.com/beego/beego v0.6.0
github.com/beego/beego/v2 v2.0.0
github.com/binance-chain/tss-lib v1.0.0
github.com/biscuit-auth/biscuit-go v1.0.0
github.com/blevesearch/bleve v0.1.0
github.com/blevesearch/bleve/v2 v2.0.0
github.com/bnb-chain/tss-lib v1.0.0
github.com/bradleyfalzon/ghinstallation v0.1.0
github.com/btcsuite/btcd v0.20.0-beta
github.com/buger/jsonparser v1.0.0
github.com/bytom/bytom v0.1.0
github.com/caddyserver/caddy/v2 v2.0.0
github.com/cloudflare/cfrpki v1.1.0
github.com/cloudflare/circl v1.0.0
github.com/cloudwego/hertz v0.0.1
github.com/codenotary/immudb v0.0.0-20200206
github.com/cometbft/cometbft v0.34.27
github.com/consensys/gnark v0.1.0-alpha
github.com/consensys/gnark-crypto v0.0.1
github.com/containerd/containerd v0.1.0
github.com/containerd/imgcrypt v1.0.0
github.com/containernetworking/cni v0.1.0
github.com/containers/buildah v0.16.0
github.com/containers/image v1.5.1
github.com/containers/podman/v4 v4.0.0
github.com/containers/psgo v1.2.0
github.com/containers/storage v0.21.1
github.com/containrrr/shoutrrr v0.3.0
github.com/corazawaf/coraza/v2 v2.0.0
github.com/corazawaf/coraza/v3 v3.0.0
github.com/cortexproject/cortex v0.1.0
github.com/cosmos/cosmos-sdk v0.0.2
github.com/cosmos/ibc-go/v4 v4.0.0-rc0
github.com/cosmos/ibc-go/v5 v5.0.0-beta1
github.com/cosmos/ibc-go/v6 v6.0.0-alpha1
github.com/cosmos/ibc-go/v7 v7.0.0-beta2
github.com/crewjam/saml v0.3.0
github.com/crossplane/crossplane-runtime v0.1.0
github.com/cyphar/filepath-securejoin v0.1.0
github.com/dablelv/go-huge-util v0.0.1
github.com/deislabs/oras v0.1.0
github.com/dgrijalva/jwt-go v1.0.0
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/dinever/golf v0.1.0
github.com/distribution/distribution v2.0.0+incompatible
github.com/docker/distribution v2.0.0+incompatible
github.com/documize/community v0.14.1
github.com/duke-git/lancet v1.0.0
github.com/duke-git/lancet/v2 v2.0.0
github.com/ecnepsnai/web v1.10.0
github.com/elastic/beats v0.1.0
github.com/emicklei/go-restful v1.0.0
github.com/emicklei/go-restful/v2 v2.7.1
github.com/emicklei/go-restful/v3 v3.0.0
github.com/ethereum/go-ethereum v0.4.1
github.com/evanphx/json-patch v0.5.2
github.com/facebook/fbthrift v0.20.0
github.com/filebrowser/filebrowser/v2 v2.0.0
github.com/fluxcd/helm-controller/api v0.0.10
github.com/fluxcd/image-automation-controller/api v0.1.0
github.com/fluxcd/image-reflector-controller/api v0.1.0
github.com/fluxcd/kustomize-controller/api v0.0.10
github.com/fluxcd/notification-controller/api v0.0.10
github.com/fluxcd/source-controller/api v0.0.10
github.com/flynn/noise v1.0.0
github.com/flyteorg/flyteadmin v0.1.0
github.com/free5gc/aper v1.0.0
github.com/gagliardetto/binary v0.2.0
github.com/gin-gonic/gin v1.1.1
github.com/git-lfs/git-lfs v0.1.0
github.com/go-jose/go-jose/v3 v3.0.0
github.com/go-macaron/i18n v0.5.0
github.com/go-resty/resty/v2 v2.0.0
github.com/go-yaml/yaml v2.0.0+incompatible
github.com/goadesign/goa v1.0.0
github.com/gofiber/fiber v0.6.9
github.com/gofiber/fiber/v2 v2.0.0
github.com/gogits/gogs v0.10.1
github.com/gogo/protobuf v1.0.0
github.com/google/fscrypt v0.1.0
github.com/google/go-attestation v0.1.1
github.com/google/go-tpm v0.0.1
github.com/gookit/goutil v0.1.0
github.com/goreleaser/nfpm/v2 v2.0.0
github.com/gorilla/handlers v1.2.1
github.com/gorilla/websocket v1.0.0
github.com/grafana/google-sheets-datasource v0.1.0
github.com/graph-gophers/graphql-go v1.0.0
github.com/graphql-go/graphql v0.4.18
github.com/hakobe/paranoidhttp v0.1.0
github.com/hamba/avro v0.0.1
github.com/hamba/avro/v2 v2.0.0
github.com/hashicorp/consul-template v0.1.0
github.com/hashicorp/go-getter v1.0.0
github.com/hashicorp/go-getter/gcs/v2 v2.0.2
github.com/hashicorp/go-getter/s3/v2 v2.0.2
github.com/hashicorp/go-getter/v2 v2.0.0
github.com/hashicorp/go-slug v0.1.0
github.com/hashicorp/vault v0.1.0
github.com/holiman/uint256 v0.1.0
github.com/hybridgroup/gobot v0.11.0
github.com/ipfs/go-bitfield v1.0.0
github.com/ipfs/go-bitswap v0.0.1
github.com/ipfs/go-libipfs v0.1.0
github.com/ipfs/go-merkledag v0.0.1
github.com/ipfs/go-unixfs v0.0.1
github.com/ipfs/go-unixfsnode v1.0.0
github.com/ipld/go-car v0.0.1
github.com/ipld/go-car/v2 v2.0.0
github.com/ipld/go-codec-dagpb v1.0.0
github.com/ipld/go-ipld-prime v0.0.1
github.com/justinas/nosurf v1.0.0
github.com/kataras/iris v0.0.1
github.com/kataras/iris/v12 v12.2.0
github.com/kitabisa/teler-waf v0.0.1
github.com/kyverno/kyverno v0.1.0
github.com/labstack/echo/v4 v4.0.0
github.com/lestrrat-go/jwx v0.9.0
github.com/lestrrat-go/jwx/v2 v2.0.0
github.com/libp2p/go-libp2p v0.0.1
github.com/lxc/lxd v0.1.0
github.com/malfunkt/iprange v0.9.0
github.com/mastercactapus/proxyprotocol v0.0.1
github.com/mholt/caddy v0.10.0
github.com/microcosm-cc/bluemonday v1.0.26
github.com/miekg/dns v1.0.0
github.com/moov-io/signedxml v1.0.0
github.com/nats-io/jwt v0.0.3
github.com/nats-io/jwt/v2 v2.0.0
github.com/nats-io/nats-server/v2 v2.0.0
github.com/nats-io/nkeys v0.0.1
github.com/notaryproject/notation-go v0.10.0-alpha.3
github.com/ntbosscher/gobase v0.1.0
github.com/oam-dev/kubevela v0.0.1
github.com/open-policy-agent/opa v0.15.0
github.com/opencontainers/runc v0.0.1
github.com/opencontainers/selinux v1.0.0
github.com/openfga/openfga v0.0.1
github.com/openshift/osin v1.0.0
github.com/openshift/source-to-image v0.5.1
github.com/ory/fosite v0.1.0
github.com/pandatix/go-cvss v0.1.0
github.com/peterzen/goresolver v1.0.0
github.com/pion/dtls v1.0.0
github.com/pion/dtls/v2 v2.0.0
github.com/pion/webrtc/v3 v3.0.0
github.com/pires/go-proxyproto v0.1.3
github.com/pomerium/pomerium v0.0.1
github.com/proglottis/gpgme v0.1.0
github.com/projectdiscovery/nuclei/v2 v2.0.0
github.com/prometheus/client_golang v0.12.1
github.com/prometheus/exporter-toolkit v0.1.0
github.com/quay/claircore v0.0.1
github.com/quic-go/quic-go v0.10.0
github.com/rancher/rancher v0.10.0
github.com/rancher/wrangler v0.1.0
github.com/revel/revel v0.10.0
github.com/robbert229/jwt v1.0.0
github.com/rs/cors v1.10.0
github.com/runatlantis/atlantis v0.1.0
github.com/russellhaering/gosaml2 v0.1.0
github.com/russellhaering/goxmldsig v1.1.0
github.com/sagernet/sing v0.1.0
github.com/sassoftware/go-rpmutils v0.1.0
github.com/satori/go.uuid v1.0.0
github.com/seccomp/libseccomp-golang v0.10.0
github.com/shamaton/msgpack/v2 v2.0.0
github.com/sigstore/cosign v0.1.0
github.com/sigstore/cosign/v2 v2.0.0
github.com/sjqzhang/go-fastdfs v1.0.1
github.com/square/go-jose v1.0.0
github.com/superfly/tokenizer v0.0.1
github.com/supranational/blst v0.1.0
github.com/sylabs/scs-library-client v0.0.1
github.com/sylabs/sif/v2 v2.0.0
github.com/tendermint/tendermint v0.0.0
github.com/theupdateframework/go-tuf v0.1.0
github.com/tidwall/gjson v1.0.0
github.com/uber/kraken v0.1.0
github.com/ulikunitz/xz v0.3.1
github.com/unknwon/cae v0.0.1
github.com/usememos/memos v0.0.1
github.com/valyala/fasthttp v0.1.0
github.com/weaviate/weaviate v0.22.18
github.com/ydb-platform/ydb-go-sdk/v3 v3.0.0
github.com/yi-ge/unzip v1.0.0
github.com/zalando/skipper v0.10.0
go.elastic.co/apm v0.4.0
go.etcd.io/etcd v0.1.0
go.mongodb.org/mongo-driver v0.0.1
go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho v0.12.0
go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron v0.12.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.12.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.12.0
goa.design/goa v1.0.0
goa.design/goa/v3 v3.0.0
golang.org/x/crypto v0.1.0
golang.org/x/image v0.1.0
golang.org/x/net v0.1.0
golang.org/x/sys v0.1.0
golang.org/x/text v0.1.0
google.golang.org/grpc v1.0.0
google.golang.org/protobuf v1.20.0
gopkg.in/macaron.v1 v1.0.1
gopkg.in/square/go-jose.v1 v1.0.0
gopkg.in/yaml.v2 v2.0.0
gopkg.in/yaml.v3 v3.0.0
helm.sh/helm/v3 v3.0.0
k8s.io/apimachinery v0.15.10
k8s.io/client-go v0.15.10
k8s.io/kube-state-metrics v0.1.0
k8s.io/kubernetes v0.10.0
mellium.im/sasl v0.0.1
mellium.im/xmpp v0.0.1
sigs.k8s.io/secrets-store-csi-driver v0.0.1
vitess.io/vitess v0.10.0
)
然后,您可以导航到存储库的“安全”选项卡以查看扫描结果。如果您找不到任何报告,请稍候,因为扫描过程可能需要一些时间。扫描完成后,您可以看到许多报告。
您可以点击报告以查看漏洞的详细信息。
我们希望您永远不会看到此类报告,这意味着您的代码足够安全。但如果确实出现问题,请不要担心,Gitea 企业版将帮助您及时发现并修复它们。