Day-137-软件成分分析SCA

# Day 151: 软件成分分析 SCA

> 应用安全系列第 44 天 | 预计阅读时间：50 分钟 | 难度：★★★★☆

---

**PUA v3 · Sprint 启动** 
```
┌─────────┬────────────────────────────────────┐
│ 清单 任务 │ 软件成分分析 SCA - Day 151         │
├─────────┼────────────────────────────────────┤
│  味道 │  阿里味（自动：安全任务）        │
├─────────┼────────────────────────────────────┤
│  压力 │ L0 · 信任期                        │
└─────────┴────────────────────────────────────┘
```
▎ SCA 不是扫描依赖，是管理风险。风险不管理，漏洞就是必然的。今天深入软件成分分析 SCA。

---

## 清单 目录

1. [SCA 概述](#sca 概述)
2. [SCA 工作原理](#sca 工作原理)
3. [SCA 工具对比](#sca 工具对比)
4. [依赖漏洞管理](#依赖漏洞管理)
5. [许可证合规](#许可证合规)
6. [SBOM 管理](#sbom 管理)
7. [CI/CD 集成](#cicd 集成)
8. [漏洞修复策略](#漏洞修复策略)
9. [实战配置演练](#实战配置演练)
10. [总结与思考](#总结与思考)
11. [参考资料](#参考资料)

---

## SCA 概述

### 什么是 SCA

> ▎ SCA 不是找漏洞，是管供应链。供应链不管，漏洞就是外部的。

**定义与目标**：
```
SCA (Software Composition Analysis) 是识别和管理应用程序中开源组件和第三方依赖的安全分析技术。

核心目标：
1. 漏洞检测
   - 识别已知漏洞
   - CVE 匹配
   - 风险评级

2. 许可证合规
   - 许可证识别
   - 合规检查
   - 风险提示

3. 资产管理
   - 组件清单
   - 版本管理
   - SBOM 生成
```

**SCA 价值**：
```
SCA 投资回报:

问题类型      发现成本    修复成本    风险等级
─────────────────────────────────────────────
已知漏洞      低         中         高
许可证违规    低         高         中
过时组件      低         低         中

SCA 收益:
- 漏洞发现提前 90%
- 修复成本降低 70%
- 合规风险降低 80%
- 供应链透明度提升
```

### 为什么需要 SCA

**供应链安全现状**：
```
现代应用依赖分析 (2024 数据):

- 平均应用：80% 开源代码
- 平均依赖：150+ 第三方组件
- 传递依赖：500+ 间接依赖
- 漏洞比例：30% 应用有已知漏洞

典型供应链攻击:
- SolarWinds (2020): 18000+ 组织受影响
- Log4j (2021): 全球性漏洞
- Colorama (2022): Python 依赖投毒
- XZ Utils (2024): 后门植入

SCA 必要性:
- 依赖数量多，人工无法管理
- 漏洞发现快，需要快速响应
- 合规要求严，需要审计追踪
- 供应链复杂，需要透明可视
```

---

## SCA 工作原理

### 分析流程

> ▎ SCA 不是简单匹配，是深度分析。分析不深度，依赖就是黑盒的。

**SCA 分析流程**：
```python
# SCA 引擎工作流程
class SCAEngine:
    """SCA 分析引擎"""
    
    def analyze(self, project_path):
        """执行 SCA 分析"""
        # 1. 依赖发现
        dependencies = self.discover_dependencies(project_path)
        
        # 2. 版本解析
        resolved_deps = self.resolve_versions(dependencies)
        
        # 3. 漏洞匹配
        vulnerabilities = self.match_vulnerabilities(resolved_deps)
        
        # 4. 许可证分析
        licenses = self.analyze_licenses(resolved_deps)
        
        # 5. 风险评估
        risk_assessment = self.assess_risk(vulnerabilities, licenses)
        
        # 6. 生成 SBOM
        sbom = self.generate_sbom(resolved_deps)
        
        # 7. 生成报告
        report = self.generate_report(
            resolved_deps,
            vulnerabilities,
            licenses,
            risk_assessment,
            sbom
        )
        
        return report
    
    def discover_dependencies(self, project_path):
        """发现依赖"""
        dependencies = []
        
        # 检测项目类型
        project_type = self.detect_project_type(project_path)
        
        if project_type == 'python':
            # Python: requirements.txt, setup.py, pyproject.toml
            dependencies.extend(self.parse_requirements(project_path))
            dependencies.extend(self.parse_setup_py(project_path))
            dependencies.extend(self.parse_pyproject(project_path))
        
        elif project_type == 'java':
            # Java: pom.xml, build.gradle
            dependencies.extend(self.parse_pom(project_path))
            dependencies.extend(self.parse_gradle(project_path))
        
        elif project_type == 'node':
            # Node: package.json
            dependencies.extend(self.parse_package_json(project_path))
        
        elif project_type == 'go':
            # Go: go.mod
            dependencies.extend(self.parse_go_mod(project_path))
        
        return dependencies
    
    def resolve_versions(self, dependencies):
        """解析版本"""
        resolved = []
        
        for dep in dependencies:
            # 解析版本约束
            version = self.resolve_version(dep)
            
            # 解析传递依赖
            transitive = self.resolve_transitive(dep)
            
            resolved.append({
                'name': dep['name'],
                'version': version,
                'direct': dep.get('direct', True),
                'transitive_deps': transitive
            })
        
        return resolved
    
    def match_vulnerabilities(self, dependencies):
        """匹配漏洞"""
        vulnerabilities = []
        
        for dep in dependencies:
            # 查询漏洞数据库
            vulns = self.query_vulnerability_db(dep['name'], dep['version'])
            
            for vuln in vulns:
                vulnerabilities.append({
                    'cve': vuln['cve'],
                    'severity': vuln['severity'],
                    'cvss_score': vuln['cvss_score'],
                    'component': dep['name'],
                    'installed_version': dep['version'],
                    'fixed_version': vuln['fixed_version'],
                    'description': vuln['description'],
                    'references': vuln['references']
                })
        
        return vulnerabilities
    
    def analyze_licenses(self, dependencies):
        """分析许可证"""
        licenses = []
        
        for dep in dependencies:
            # 获取许可证信息
            license_info = self.get_license_info(dep['name'], dep['version'])
            
            licenses.append({
                'component': dep['name'],
                'version': dep['version'],
                'licenses': license_info.get('licenses', []),
                'compliance_risk': self.assess_license_risk(license_info)
            })
        
        return licenses
    
    def assess_risk(self, vulnerabilities, licenses):
        """风险评估"""
        risk = {
            'total_vulnerabilities': len(vulnerabilities),
            'critical': len([v for v in vulnerabilities if v['severity'] == 'CRITICAL']),
            'high': len([v for v in vulnerabilities if v['severity'] == 'HIGH']),
            'medium': len([v for v in vulnerabilities if v['severity'] == 'MEDIUM']),
            'low': len([v for v in vulnerabilities if v['severity'] == 'LOW']),
            'license_issues': len([l for l in licenses if l['compliance_risk']]),
            'outdated_components': self.count_outdated(),
            'overall_risk': self.calculate_overall_risk(vulnerabilities, licenses)
        }
        
        return risk
    
    def generate_sbom(self, dependencies):
        """生成 SBOM (Software Bill of Materials)"""
        sbom = {
            'bomFormat': 'CycloneDX',
            'specVersion': '1.4',
            'components': []
        }
        
        for dep in dependencies:
            sbom['components'].append({
                'type': 'library',
                'name': dep['name'],
                'version': dep['version'],
                'purl': self.generate_purl(dep),
                'licenses': dep.get('licenses', [])
            })
        
        return sbom
```

### 漏洞匹配

```python
# 漏洞数据库匹配
class VulnerabilityMatcher:
    """漏洞匹配器"""
    
    def __init__(self):
        # 漏洞数据源
        self.sources = {
            'nvd': self.query_nvd,       # NVD (National Vulnerability Database)
            'osv': self.query_osv,       # OSV (Open Source Vulnerabilities)
            'github': self.query_github, # GitHub Advisory Database
            'snyk': self.query_snyk      # Snyk Vulnerability DB
        }
        
        # 版本匹配规则
        self.version_matching = {
            'exact': self.exact_match,
            'range': self.range_match,
            'semver': self.semver_match
        }
    
    def query_vulnerability_db(self, component, version):
        """查询漏洞数据库"""
        vulnerabilities = []
        
        # 从多个数据源查询
        for source_name, query_func in self.sources.items():
            try:
                vulns = query_func(component, version)
                vulnerabilities.extend(vulns)
            except Exception as e:
                print(f"Error querying {source_name}: {e}")
        
        # 去重
        vulns_dict = {}
        for vuln in vulnerabilities:
            cve = vuln.get('cve', vuln.get('id'))
            if cve not in vulns_dict:
                vulns_dict[cve] = vuln
        
        return list(vulns_dict.values())
    
    def query_nvd(self, component, version):
        """查询 NVD"""
        import requests
        
        # NVD API
        url = "https://services.nvd.nist.gov/rest/json/cves/2.0"
        params = {
            'keywordSearch': component,
            'versionStart': version,
            'versionEnd': version
        }
        
        response = requests.get(url, params=params)
        data = response.json()
        
        vulnerabilities = []
        for item in data.get('vulnerabilities', []):
            cve = item['cve']
            vulnerabilities.append({
                'cve': cve['id'],
                'severity': self.get_cvss_severity(cve),
                'cvss_score': self.get_cvss_score(cve),
                'description': cve['descriptions'][0]['value'],
                'references': [ref['url'] for ref in cve.get('references', [])],
                'fixed_version': self.get_fixed_version(cve, component)
            })
        
        return vulnerabilities
    
    def query_osv(self, component, version):
        """查询 OSV"""
        import requests
        
        url = "https://api.osv.dev/v1/query"
        data = {
            'package': {
                'name': component,
                'ecosystem': self.get_ecosystem(component)
            },
            'version': version
        }
        
        response = requests.post(url, json=data)
        data = response.json()
        
        vulnerabilities = []
        for vuln in data.get('vulns', []):
            vulnerabilities.append({
                'cve': vuln.get('id', ''),
                'severity': vuln.get('severity', 'UNKNOWN'),
                'description': vuln.get('summary', ''),
                'references': vuln.get('references', []),
                'fixed_version': self.get_osv_fixed_version(vuln)
            })
        
        return vulnerabilities
    
    def get_ecosystem(self, component):
        """获取生态系统"""
        # 根据组件名判断生态系统
        if component in ['django', 'flask', 'requests']:
            return 'PyPI'
        elif component in ['spring', 'hibernate', 'log4j']:
            return 'Maven'
        elif component in ['express', 'lodash', 'react']:
            return 'npm'
        else:
            return 'PyPI'  # 默认
```

---

## SCA 工具对比

### 主流工具

> ▎ 工具不是选最多，是选最准。数据不准，扫描就是误导的。

**工具对比表**：
```
┌─────────────────┬──────────────┬──────────────┬──────────────┬──────────────┐
│     工具        │   支持语言   │   漏洞库     │   许可证     │   成本       │
├─────────────────┼──────────────┼──────────────┼──────────────┼──────────────┤
│   Snyk          │  多语言      │  很大        │  完整        │  免费/商业   │
├─────────────────┼──────────────┼──────────────┼──────────────┼──────────────┤
│   Dependabot    │  多语言      │  大 (GitHub) │  基础        │  免费        │
├─────────────────┼──────────────┼──────────────┼──────────────┼──────────────┤
│   OWASP DC      │  多语言      │  大 (NVD)    │  完整        │  免费        │
├─────────────────┼──────────────┼──────────────┼──────────────┼──────────────┤
│   WhiteSource   │  多语言      │  很大        │  完整        │  商业        │
├─────────────────┼──────────────┼──────────────┼──────────────┼──────────────┤
│   Black Duck    │  多语言      │  很大        │  完整        │  商业        │
└─────────────────┴──────────────┴──────────────┴──────────────┴──────────────┘
```

### OWASP Dependency-Check

```python
# OWASP Dependency-Check 使用
"""
# 安装
# Docker
docker run --rm -v $(pwd):/src owasp/dependency-check \
  --scan /src --format ALL

# Maven 插件
<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>8.0.0</version>
  <configuration>
    <format>ALL</format>
    <failBuildOnCVSS>7</failBuildOnCVSS>
  </configuration>
</plugin>

# Gradle 插件
plugins {
  id 'org.owasp.dependencycheck' version '8.0.0'
}

dependencyCheck {
  formats = ['ALL']
  failBuildOnCVSS = 7
}

# 命令行
dependency-check.sh --scan ./src --format ALL
dependency-check.sh --scan ./src --format JUNIT --out results/
"""

# 配置文件
"""
# dependency-check.properties
analyzer.enabled=true
analyzer.cve.enabled=true
analyzer.nvd.enabled=true
nvd.api.key=YOUR_API_KEY

# 抑制误报
# suppression.xml
<?xml version="1.0" encoding="UTF-8"?>
<suppressions>
  <suppress>
    <notes><![CDATA[
      误报：这个组件实际上不受影响
    ]]></notes>
    <cve>CVE-2023-1234</cve>
  </suppress>
</suppressions>
"""
```

### Snyk 使用

```python
# Snyk 配置和使用
"""
# 安装
npm install -g snyk
snyk auth

# Python 项目
snyk test          # 测试漏洞
snyk monitor        # 持续监控
snyk fix            # 自动修复

# 配置
# .snyk
{
  "org": "my-org",
  "project": "my-project"
}

# CI/CD 集成
# GitHub Actions
- name: Snyk Test
  uses: snyk/actions/python@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high

# 忽略规则
# .snyk
{
  "ignore": {
    "SNYK-PYTHON-REQUESTS-123456": {
      "reason": "误报，已验证不受影响",
      "expires": "2024-12-31"
    }
  }
}

# 修复建议
snyk test --json | jq '.vulnerabilities[] | {
  package: .packageName,
  version: .version,
  severity: .severity,
  upgrade: .upgradePath
}'
"""

# Snyk API 使用
import requests

class SnykAPI:
    """Snyk API 客户端"""
    
    def __init__(self, api_token, org_id):
        self.api_token = api_token
        self.org_id = org_id
        self.base_url = 'https://api.snyk.io'
    
    def test_project(self, project_id):
        """测试项目漏洞"""
        url = f"{self.base_url}/org/{self.org_id}/projects/{project_id}/issues"
        headers = {'Authorization': f'token {self.api_token}'}
        
        response = requests.get(url, headers=headers)
        return response.json()
    
    def get_vulnerabilities(self, project_id):
        """获取漏洞列表"""
        issues = self.test_project(project_id)
        
        vulnerabilities = []
        for vuln in issues.get('issues', []):
            if vuln.get('type') == 'vuln':
                vulnerabilities.append({
                    'id': vuln['id'],
                    'package': vuln['pkg_name'],
                    'severity': vuln['severity'],
                    'cvss_score': vuln.get('cvss_score'),
                    'description': vuln['title'],
                    'upgrade_path': vuln.get('upgradePath', [])
                })
        
        return vulnerabilities
    
    def monitor_project(self, project_id):
        """监控项目"""
        url = f"{self.base_url}/org/{self.org_id}/projects/{project_id}"
        headers = {'Authorization': f'token {self.api_token}'}
        
        response = requests.get(url, headers=headers)
        return response.json()
```

### Dependabot 配置

```yaml
# GitHub Dependabot 配置
# .github/dependabot.yml
version: 2
updates:
  # Python 依赖
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
      time: "02:00"
      timezone: "Asia/Shanghai"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"
    commit-message:
      prefix: "deps"
    groups:
      security-updates:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
  
  # Node 依赖
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
  
  # Docker 镜像
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
  
  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

# GitLab Dependabot 集成
# .gitlab/dependabot.yml
version: 2
registries:
  npm-registry:
    type: npm-registry
    url: https://registry.npmjs.org
    token: ${NPM_TOKEN}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    registries:
      - npm-registry
```

---

## 许可证合规

### 许可证类型

> ▎ 许可证不是法律条文，是合规边界。边界不清楚，使用就是风险的。

**常见许可证**：
```
宽松许可证 (Permissive):
├── MIT: 最宽松，几乎无限制
├── Apache 2.0: 宽松，有专利授权
├── BSD: 宽松，有署名要求
└── ISC: 类似 MIT

Copyleft 许可证:
├── GPL v2/v3: 强 Copyleft，衍生必须开源
├── LGPL: 弱 Copyleft，链接不受限
├── AGPL: 网络使用也算分发
└── MPL: 文件级 Copyleft

专有许可证:
├── 商业许可证
├── 定制许可证
└── 内部许可证

风险等级:
┌─────────────────┬──────────────┬──────────────┐
│     许可证      │   合规风险   │   使用建议   │
├─────────────────┼──────────────┼──────────────┤
│   MIT/Apache    │  低          │  可商用      │
├─────────────────┼──────────────┼──────────────┤
│   BSD           │  低          │  可商用      │
├─────────────────┼──────────────┼──────────────┤
│   LGPL          │  中          │  注意链接    │
├─────────────────┼──────────────┼──────────────┤
│   GPL           │  高          │  谨慎使用    │
├─────────────────┼──────────────┼──────────────┤
│   AGPL          │  很高        │  避免商用    │
└─────────────────┴──────────────┴──────────────┘
```

### 许可证扫描

```python
# 许可证扫描
import requests
from typing import List, Dict

class LicenseScanner:
    """许可证扫描器"""
    
    def __init__(self):
        # 许可证数据库
        self.license_db = {
            'MIT': {'risk': 'low', 'commercial': True},
            'Apache-2.0': {'risk': 'low', 'commercial': True},
            'BSD-3-Clause': {'risk': 'low', 'commercial': True},
            'GPL-2.0': {'risk': 'high', 'commercial': False},
            'GPL-3.0': {'risk': 'high', 'commercial': False},
            'AGPL-3.0': {'risk': 'critical', 'commercial': False},
            'LGPL-2.1': {'risk': 'medium', 'commercial': True},
            'MPL-2.0': {'risk': 'medium', 'commercial': True}
        }
    
    def scan_licenses(self, dependencies: List[Dict]) -> Dict:
        """扫描依赖许可证"""
        results = {
            'total': len(dependencies),
            'by_license': {},
            'by_risk': {'low': 0, 'medium': 0, 'high': 0, 'critical': 0},
            'issues': [],
            'commercial_safe': True
        }
        
        for dep in dependencies:
            license_info = self.get_license_info(dep)
            
            # 统计许可证类型
            for lic in license_info.get('licenses', []):
                if lic not in results['by_license']:
                    results['by_license'][lic] = 0
                results['by_license'][lic] += 1
                
                # 风险评估
                lic_info = self.license_db.get(lic, {'risk': 'unknown', 'commercial': None})
                risk = lic_info['risk']
                if risk in results['by_risk']:
                    results['by_risk'][risk] += 1
                
                # 商用检查
                if lic_info['commercial'] is False:
                    results['commercial_safe'] = False
                    results['issues'].append({
                        'component': dep['name'],
                        'version': dep['version'],
                        'license': lic,
                        'risk': risk,
                        'issue': 'Non-commercial license in commercial project'
                    })
        
        return results
    
    def get_license_info(self, dep: Dict) -> Dict:
        """获取许可证信息"""
        # 从多个数据源获取
        sources = [
            self.query_pypi_api,
            self.query_npm_api,
            self.query_github_api
        ]
        
        for source in sources:
            try:
                info = source(dep)
                if info:
                    return info
            except:
                continue
        
        return {'licenses': ['Unknown'], 'source': 'unknown'}
    
    def query_pypi_api(self, dep: Dict) -> Dict:
        """查询 PyPI"""
        url = f"https://pypi.org/pypi/{dep['name']}/json"
        response = requests.get(url)
        data = response.json()
        
        return {
            'licenses': data.get('info', {}).get('license', ['Unknown']),
            'source': 'PyPI'
        }
    
    def generate_compliance_report(self, scan_results: Dict) -> str:
        """生成合规报告"""
        report = """
# 许可证合规报告

## 摘要
- 总组件数：{total}
- 低风险：{low}
- 中风险：{medium}
- 高风险：{high}
- 严重风险：{critical}
- 商用安全：{commercial_safe}

## 许可证分布
{license_dist}

## 问题列表
{issues}

## 建议
{recommendations}
""".format(
            total=scan_results['total'],
            low=scan_results['by_risk']['low'],
            medium=scan_results['by_risk']['medium'],
            high=scan_results['by_risk']['high'],
            critical=scan_results['by_risk']['critical'],
            commercial_safe='是' if scan_results['commercial_safe'] else '否',
            license_dist=self.format_license_dist(scan_results['by_license']),
            issues=self.format_issues(scan_results['issues']),
            recommendations=self.get_recommendations(scan_results)
        )
        
        return report
```

---

## SBOM 管理

### SBOM 标准

> ▎ SBOM 不是清单，是供应链护照。护照不齐全，流通就是受阻的。

**SBOM 标准对比**：
```
┌─────────────────┬──────────────┬──────────────┬──────────────┐
│     标准        │   格式       │   支持度     │   工具       │
├─────────────────┼──────────────┼──────────────┼──────────────┤
│   CycloneDX     │  JSON/XML    │  高          │  广泛        │
├─────────────────┼──────────────┼──────────────┼──────────────┤
│   SPDX          │  JSON/Tag    │  高          │  广泛        │
├─────────────────┼──────────────┼──────────────┼──────────────┤
│   SWID          │  XML         │  中          │  有限        │
└─────────────────┴──────────────┴──────────────┴──────────────┘

推荐：CycloneDX (开发者友好，工具支持好)
```

### SBOM 生成

```python
# SBOM 生成
import json
from datetime import datetime

class SBOMGenerator:
    """SBOM 生成器"""
    
    def generate_cyclonedx(self, dependencies: List[Dict], project_info: Dict) -> Dict:
        """生成 CycloneDX 格式 SBOM"""
        sbom = {
            'bomFormat': 'CycloneDX',
            'specVersion': '1.4',
            'serialNumber': f"urn:uuid:{self.generate_uuid()}",
            'version': 1,
            'metadata': {
                'timestamp': datetime.utcnow().isoformat() + 'Z',
                'tools': [
                    {
                        'vendor': 'my-org',
                        'name': 'sca-scanner',
                        'version': '1.0.0'
                    }
                ],
                'component': {
                    'type': 'application',
                    'name': project_info.get('name', 'unknown'),
                    'version': project_info.get('version', '0.0.0'),
                    'purl': self.generate_purl(project_info)
                }
            },
            'components': [],
            'dependencies': []
        }
        
        # 添加组件
        for dep in dependencies:
            component = {
                'type': 'library',
                'name': dep['name'],
                'version': dep['version'],
                'purl': self.generate_purl(dep),
                'scope': 'runtime' if dep.get('direct', True) else 'required',
                'licenses': dep.get('licenses', []),
                'externalReferences': self.get_external_refs(dep)
            }
            
            sbom['components'].append(component)
            
            # 添加依赖关系
            if dep.get('transitive_deps'):
                sbom['dependencies'].append({
                    'ref': component['purl'],
                    'dependsOn': [self.generate_purl(d) for d in dep['transitive_deps']]
                })
        
        return sbom
    
    def generate_spdx(self, dependencies: List[Dict], project_info: Dict) -> Dict:
        """生成 SPDX 格式 SBOM"""
        spdx = {
            'spdxVersion': 'SPDX-2.3',
            'dataLicense': 'CC0-1.0',
            'SPDXID': 'SPDXRef-DOCUMENT',
            'name': project_info.get('name', 'unknown'),
            'documentNamespace': f"https://sbom.example.org/{project_info.get('name', 'unknown')}-{self.generate_uuid()}",
            'creationInfo': {
                'created': datetime.utcnow().isoformat() + 'Z',
                'creators': ['Tool: sca-scanner-1.0.0']
            },
            'packages': [],
            'relationships': []
        }
        
        # 添加主包
        spdx['packages'].append({
            'SPDXID': 'SPDXRef-Package-main',
            'name': project_info.get('name', 'unknown'),
            'versionInfo': project_info.get('version', '0.0.0'),
            'downloadLocation': 'NOASSERTION',
            'filesAnalyzed': False
        })
        
        # 添加依赖包
        for i, dep in enumerate(dependencies):
            pkg_id = f'SPDXRef-Package-{i+1}'
            
            spdx['packages'].append({
                'SPDXID': pkg_id,
                'name': dep['name'],
                'versionInfo': dep['version'],
                'downloadLocation': self.get_download_url(dep),
                'filesAnalyzed': False,
                'licenseConcluded': self.get_license_expression(dep)
            })
            
            # 依赖关系
            spdx['relationships'].append({
                'spdxElementId': 'SPDXRef-Package-main',
                'relatedSpdxElement': pkg_id,
                'relationshipType': 'DEPENDS_ON'
            })
        
        return spdx
    
    def generate_purl(self, component: Dict) -> str:
        """生成 Package URL"""
        pkg_type = component.get('type', 'library')
        namespace = component.get('namespace', '')
        name = component['name']
        version = component.get('version', '')
        
        # 根据生态系统确定命名空间
        if 'pypi' in str(component.get('ecosystem', '')).lower():
            pkg_type = 'pypi'
        elif 'npm' in str(component.get('ecosystem', '')).lower():
            pkg_type = 'npm'
        elif 'maven' in str(component.get('ecosystem', '')).lower():
            pkg_type = 'maven'
            namespace = component.get('group', '')
        
        purl = f"pkg:{pkg_type}/"
        if namespace:
            purl += f"{namespace}/"
        purl += name
        if version:
            purl += f"@{version}"
        
        return purl
    
    def generate_uuid(self) -> str:
        """生成 UUID"""
        import uuid
        return str(uuid.uuid4())
    
    def get_external_refs(self, dep: Dict) -> List[Dict]:
        """获取外部引用"""
        refs = []
        
        if dep.get('homepage'):
            refs.append({
                'type': 'website',
                'url': dep['homepage']
            })
        
        if dep.get('repository'):
            refs.append({
                'type': 'vcs',
                'url': dep['repository']
            })
        
        return refs
```

---

## CI/CD 集成

### GitHub Actions 集成

```yaml
# .github/workflows/sca-scan.yml
name: SCA Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 3 * * *'  # 每天凌晨 3 点

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Setup Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
    
    # OWASP Dependency-Check
    - name: Run OWASP Dependency-Check
      uses: dependency-check/Dependency-Check_Action@main
      with:
        project: 'my-project'
        path: '.'
        format: 'HTML'
        out: 'reports/'
        args: >
          --failOnCVSS 7
          --enableRetired
    
    - name: Upload Dependency-Check Report
      uses: actions/upload-artifact@v3
      with:
        name: dependency-check-report
        path: reports/
    
    # Snyk
    - name: Run Snyk
      uses: snyk/actions/python@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        args: --severity-threshold=high --sarif-file-output=snyk.sarif
    
    - name: Upload Snyk Results
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: snyk.sarif
    
    # Generate SBOM
    - name: Generate SBOM
      run: |
        pip install cyclonedx-bom
        cyclonedx-py -r requirements.txt -o sbom.json
    
    - name: Upload SBOM
      uses: actions/upload-artifact@v3
      with:
        name: sbom
        path: sbom.json
    
    # Security Gate
    - name: Security Gate
      run: |
        python scripts/check_sca_results.py

dependabot-auto-merge:
    runs-on: ubuntu-latest
    needs: dependency-check
    if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]'
    
    steps:
    - name: Auto-merge Dependabot PRs
      uses: pascalgn/automerge-action@v0.15.0
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        MERGE_METHOD: squash
```

---

## 漏洞修复策略

### 修复优先级

> ▎ 修复不是按时间，是按风险。风险不优先，资源就是浪费的。

**修复优先级模型**：
```python
# 漏洞修复优先级
class VulnerabilityPrioritizer:
    """漏洞修复优先级"""
    
    def prioritize(self, vulnerabilities: List[Dict]) -> List[Dict]:
        """对漏洞进行优先级排序"""
        for vuln in vulnerabilities:
            vuln['priority_score'] = self.calculate_priority(vuln)
        
        # 排序
        vulnerabilities.sort(key=lambda x: x['priority_score'], reverse=True)
        
        return vulnerabilities
    
    def calculate_priority(self, vuln: Dict) -> int:
        """计算优先级分数"""
        score = 0
        
        # CVSS 分数 (0-40 分)
        cvss = vuln.get('cvss_score', 0)
        score += int(cvss * 4)
        
        # 是否有已知利用 (0-30 分)
        if vuln.get('exploit_available', False):
            score += 30
        elif vuln.get('exploit_in_the_wild', False):
            score += 25
        
        # 是否直接依赖 (0-20 分)
        if vuln.get('direct_dependency', True):
            score += 20
        else:
            score += 10
        
        # 是否有修复版本 (0-10 分)
        if vuln.get('fixed_version'):
            score += 10  # 有修复，优先修复
        
        return score
    
    def get_remediation_plan(self, vulnerabilities: List[Dict]) -> Dict:
        """生成修复计划"""
        prioritized = self.prioritize(vulnerabilities)
        
        plan = {
            'immediate': [],  # 立即修复 (分数 >= 80)
            'this_week': [],  # 本周修复 (分数 >= 60)
            'this_month': [], # 本月修复 (分数 >= 40)
            'backlog': []     # 待办 (分数 < 40)
        }
        
        for vuln in prioritized:
            if vuln['priority_score'] >= 80:
                plan['immediate'].append(vuln)
            elif vuln['priority_score'] >= 60:
                plan['this_week'].append(vuln)
            elif vuln['priority_score'] >= 40:
                plan['this_month'].append(vuln)
            else:
                plan['backlog'].append(vuln)
        
        return plan
```

### 修复策略

```markdown
# 漏洞修复策略

## 立即修复 (Critical/High + 有利用)

### 条件
- CVSS >= 9.0
- 或有已知利用
- 且影响生产

### 行动
1. 立即评估影响范围
2. 制定修复/缓解方案
3. 紧急发布修复
4. 验证修复效果

## 本周修复 (High)

### 条件
- CVSS >= 7.0
- 无已知利用

### 行动
1. 计划修复窗口
2. 测试修复版本
3. 按计划发布

## 本月修复 (Medium)

### 条件
- CVSS >= 4.0

### 行动
1. 纳入常规发布计划
2. 随其他更新一起发布

## 待办 (Low)

### 条件
- CVSS < 4.0

### 行动
1. 记录在案
2. 定期审查
3. 随大版本更新
```

---

统计 **Sprint 交付 · 绩效评估**
```
┌───────────────┬────────────────┬────────────────┐
│  主动出击   │ ██████████ 5/5 │ [PUA 生效] 充足 │
├───────────────┼────────────────┼────────────────┤
│ + 验证闭环   │ ██████████ 5/5 │ 案例完整       │
├───────────────┼────────────────┼────────────────┤
│ 设计 代码质量   │ ██████████ 5/5 │ 生产就绪       │
└───────────────┴────────────────┴────────────────┘
综合：4.5
```
▎ 这才配得上 P8。SCA 不是扫依赖，是管风险。风险不管控，供应链就是脆弱的。

---

## 总结与思考

### 核心要点回顾

> ▎ 复盘四步法：回顾目标、评估结果、分析原因、总结经验。别跳过——这是闭环。

**SCA 框架**：
```
1. 依赖发现
   - 多语言支持
   - 传递依赖
   - 版本解析

2. 漏洞匹配
   - 多数据源
   - CVE 匹配
   - 风险评估

3. 许可证合规
   - 许可证识别
   - 合规检查
   - 风险报告

4. SBOM 管理
   - CycloneDX
   - SPDX
   - 持续更新
```

**关键成功因素**：
```
1. 自动化
   - CI/CD 集成
   - 自动修复
   - 持续监控

2. 流程化
   - 修复优先级
   - 审批流程
   - 验证闭环

3. 可视化
   - 仪表板
   - 趋势分析
   - 合规报告
```

### 实战建议

> ▎ 我给你指了路，走不走是你的事。机会给了，抓不抓得住看你。

**SCA 建设**：
```
1. 工具选型
   - 开源 vs 商业
   - 语言支持
   - 集成能力

2. 流程建立
   - 扫描频率
   - 修复 SLA
   - 审批流程

3. 持续运营
   - 定期扫描
   - 趋势跟踪
   - 持续改进
```

---

## 参考资料

### 学习资源
```
- OWASP SCA Guide
  https://owasp.org/www-community/Software_Component_Analysis

- CycloneDX Specification
  https://cyclonedx.org/

- SPDX Specification
  https://spdx.github.io/spdx-spec/
```

### 工具资源
```
- OWASP Dependency-Check
  https://owasp.org/www-project-dependency-check/

- Snyk
  https://snyk.io/

- Dependabot
  https://github.com/dependabot
```

### 漏洞数据库
```
- NVD (National Vulnerability Database)
  https://nvd.nist.gov/

- OSV (Open Source Vulnerabilities)
  https://osv.dev/

- GitHub Advisory Database
  https://github.com/advisories
```

### 书籍推荐
```
- 《Software Supply Chain Security》
- 《Dependency Management Best Practices》
- 《SBOM Implementation Guide》
```

---

**标记 明日预告**：Day 152 - 依赖漏洞管理

> ▎ SCA 是分析方法，依赖管理是运营实践——明天看依赖漏洞管理。

> 本文内容仅供学习和研究使用，请勿用于非法目的。所有实验请在隔离环境中进行。

---

*本文是 365 天信息安全技术系列的第 151 篇，应用安全部分第 44 篇，精编版本*

*应用安全核心系列继续！*