如何让开源软件用得更放心

Realize Ultimate Security every step starts with the labs
www.onwardsecurity.com
2021最佳物联网资安公司
如何让开源软件用得更放心
白尚永 Bruce
2021/10/13

1
© 2021 Onward Security Corp. All rights reserved.
CONTENT
开源软件风险管理的重要性
01
透过SecSAM实施开源软件安全管理
02
SecSAM 展示DEMO
03

© 2021 Onward Security Corp. All rights reserved. 2
开源软件风险管理的重要性
01

各产业中利用开源软件进行开发所占之比例
Ref: 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.

自行开发
之原始码
了解产品的组成
最终应用/产品
第三方
开发软件
• 由第三方企业负责资安
• 已知的商业来源
• 由企业内部开发人员维护
• 企业内部资安政策
开源软件
• 成百上千个代码源贡献者
• 无专人负责维护资安
• 无企业责任
• 资安检测?
• 复杂的供应链网络
組成类别风险管理

软件组成(Composition)

软件供应链、软件物料清单(SBOM)
Ref : https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Ref:https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf
Growing support and importance of SBOM Projects
• BSA Framework for Secure Software.
• Building Security in Maturity Model
• CISQ Trustworthy System Manifesto
• FS-ISAC Third Party Governance
• ISO/IEC 27002:2005 and 27002:2013
• Linux Foundation OpenChain
• Manufacturers Disclosure Statement for Medical Device Security
• MITRE Deliver Uncompromised
• NIST’s Mitigating the Risk of Software Vulnerabilities by Adopting a
Secure Software Development Framework (SSDF)
…
两年内软件购买者在购买产品时都
会要求提供软件物料清單(SBOM)
Gartner

Vulnerability 漏洞

开源代码库存漏洞
被扫描的应用程序中有98%包含开源软件
套件(OSS components), 每个应用程序平均
包含257个组件(Components)
98%
被检查的代码库中(codebase)78%至少有
一个漏洞，每个应用程序平均有158个漏
洞，漏洞平均已存在2.2年以上。
78%
被分析的应用程序代码库组成高达75%来
自于开源软件套件。
75%
存在的漏洞风险逐年上升的开源代码库风险
Ref: 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.

License 授权

复杂的授权种类及法律问题
被扫瞄的代码库中有65%存在授权
不当使用的问题
OSS版权流氓(copyright troll)崛起
OSS的开发者使用版权条款图利
的频率已开始影响市场
授权的法律问题
65%

透过SecSAM实施开源软件安全管理
02

手动建立风险清单?

建立一个开源风险清单所费时间甚巨
Component Version Vendor CVE Code Severity (2.0) CVSS Score(2.0) Severity (3.0) CVSS Score(3.0) Description Reference (Patch) Reference (Vendor Advisory) Reference (ThirdParty Advisory)
bash 4.4.18 gnu CVE-2019-18276 HIGH 7.2 HIGH 7.8 An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run https://github.com/bminor/bash/commit/951bdaad7a18cc0dc103 http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-
bind 9.11.5 isc CVE-2021-25216 MEDIUM 6.8 CRITICAL 9.8 In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of http://www.openwall.com/lists/oss-security/2021/04/29/1
bind 9.11.5 isc CVE-2021-25215 MEDIUM 5.0 HIGH 7.5 In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of https://kb.isc.org/v1/docs/cve-2021-25215 http://www.openwall.com/lists/oss-security/2021/04/29/1
bind 9.11.5 isc CVE-2021-25214 MEDIUM 4.0 MEDIUM 6.5 In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> https://kb.isc.org/v1/docs/cve-2021-25214 http://www.openwall.com/lists/oss-security/2021/04/29/1
bind 9.11.5 isc CVE-2020-8625 MEDIUM 6.8 HIGH 8.1 BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a http://www.openwall.com/lists/oss-security/2021/02/19/1 https://kb.isc.org/v1/docs/cve-2020-8625 https://www.debian.org/security/2021/dsa-4857
bind 9.11.5 isc CVE-2020-8624 MEDIUM 4.0 MEDIUM 4.3 In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 - https://kb.isc.org/docs/cve-2020-8624 https://lists.fedoraproject.org/archives/list/package-
bind 9.11.5 isc CVE-2020-8623 MEDIUM 4.3 HIGH 7.5 In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 https://kb.isc.org/docs/cve-2020-8623 https://lists.fedoraproject.org/archives/list/package-
bind 9.11.5 isc CVE-2020-8622 MEDIUM 4.0 MEDIUM 6.5 In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 https://kb.isc.org/docs/cve-2020-8622 https://lists.fedoraproject.org/archives/list/package-
bind 9.11.5 isc CVE-2020-8617 MEDIUM 5.0 HIGH 7.5 Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if https://kb.isc.org/docs/cve-2020-8617 https://kb.isc.org/docs/cve-2020-8617 http://www.openwall.com/lists/oss-security/2020/05/19/4
bind 9.11.5 isc CVE-2020-8616 MEDIUM 5.0 HIGH 8.6 A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when https://kb.isc.org/docs/cve-2020-8616 https://kb.isc.org/docs/cve-2020-8616 http://www.nxnsattack.com
bind 9.11.5 isc CVE-2019-6470 MEDIUM 5.0 HIGH 7.5 There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in https://lists.opensuse.org/opensuse-security-announce/2019-
bind 9.11.5 isc CVE-2019-6471 MEDIUM 4.3 MEDIUM 5.9 A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE https://kb.isc.org/docs/cve-2019-6471
bind 9.11.5 isc CVE-2018-5743 MEDIUM 4.3 HIGH 7.5 By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number https://kb.isc.org/docs/cve-2018-5743
busybox 1.29.3 busybox CVE-2019-5747 MEDIUM 5 HIGH 7.5 An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4 https://bugs.busybox.net/show_bug.cgi?id=11506
busybox 1.29.3 busybox CVE-2018-20679 MEDIUM 5 HIGH 7.5 An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the https://git.busybox.net/busybox/commit/?id=6d3b4bb24da9a07c2 https://bugs.busybox.net/show_bug.cgi?id=11506
busybox 1.29.3 busybox CVE-2018-1000500 MEDIUM 6.8 HIGH 8.1 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d74 http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
conntrack-tools 1.0.1 netfilter CVE-2015-6496 MEDIUM 5.0 N/A N/A conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that the optional kernel modules are loaded before https://git.netfilter.org/conntrack- https://git.netfilter.org/conntrack- http://www.debian.org/security/2015/dsa-3341
coreutils 8.30 gnu CVE-2016-2781 LOW 2.1 MEDIUM 6.5 chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted http://www.openwall.com/lists/oss-security/2016/02/28/3
curl 7.61.0 haxx CVE-2020-8284 MEDIUM 4.3 LOW 3.7 A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP https://curl.se/docs/CVE-2020-8284.html https://lists.fedoraproject.org/archives/list/package-
curl 7.61.0 haxx CVE-2019-5482 HIGH 7.5 CRITICAL 9.8 Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. https://curl.haxx.se/docs/CVE-2019-5482.html
curl 7.61.0 haxx CVE-2019-5481 HIGH 7.5 CRITICAL 9.8 Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. https://curl.haxx.se/docs/CVE-2019-5481.html
curl 7.61.0 haxx CVE-2019-5443 MEDIUM 4.6 HIGH 7.8 A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) http://www.openwall.com/lists/oss-security/2019/06/24/1 https://curl.haxx.se/docs/CVE-2019-5443.html http://www.openwall.com/lists/oss-security/2019/06/24/1
curl 7.61.0 haxx CVE-2018-16842 MEDIUM 6.4 CRITICAL 9.1 Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3 https://curl.haxx.se/docs/CVE-2018-16842.html https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3
curl 7.61.0 haxx CVE-2018-16840 HIGH 7.5 CRITICAL 9.8 A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy https://github.com/curl/curl/commit/81d135d67155c5295b103367 https://curl.haxx.se/docs/CVE-2018-16840.html https://github.com/curl/curl/commit/81d135d67155c5295b103367
curl 7.61.0 haxx CVE-2018-16839 HIGH 7.5 CRITICAL 9.8 Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee https://curl.haxx.se/docs/CVE-2018-16839.html https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee
e2fsprogs 1.44.3 e2fsprogs_project CVE-2019-5188 MEDIUM 4.6 MEDIUM 6.7 A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially https://talosintelligence.com/vulnerability_reports/TALOS-2019-
e2fsprogs 1.44.3 e2fsprogs_project CVE-2019-5094 MEDIUM 4.6 MEDIUM 6.7 An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted https://talosintelligence.com/vulnerability_reports/TALOS-2019-
iproute2 3.16.0 iproute2_project CVE-2019-20795 LOW 2.1 MEDIUM 4.4 iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/com https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/com
libarchive 3.3.3 libarchive CVE-2019-18408 MEDIUM 5.0 HIGH 7.5 archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after- https://github.com/libarchive/libarchive/commit/b8592ecba2f9e45 https://github.com/libarchive/libarchive/commit/b8592ecba2f9e45
libarchive 3.3.3 libarchive CVE-2019-11463 MEDIUM 4.3 MEDIUM 5.5 A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev https://github.com/libarchive/libarchive/commit/ba641f73f3d758d https://github.com/libarchive/libarchive/issues/1165
libarchive 3.3.3 libarchive CVE-2019-1000020 MEDIUM 4.3 MEDIUM 6.5 libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a https://github.com/libarchive/libarchive/pull/1120/commits/8312ea https://github.com/libarchive/libarchive/pull/1120/commits/8312ea
libarchive 3.3.3 libarchive CVE-2019-1000019 MEDIUM 4.3 MEDIUM 6.5 libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a https://github.com/libarchive/libarchive/pull/1120/commits/65a23f https://github.com/libarchive/libarchive/pull/1120/commits/65a23f
libarchive 3.3.3 libarchive CVE-2018-1000880 MEDIUM 4.3 MEDIUM 6.5 libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains https://github.com/libarchive/libarchive/pull/1105/commits/9c84b7 https://github.com/libarchive/libarchive/pull/1105/commits/9c84b7
libarchive 3.3.3 libarchive CVE-2018-1000879 MEDIUM 4.3 MEDIUM 6.5 libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a https://github.com/libarchive/libarchive/pull/1105/commits/15bf44 https://github.com/libarchive/libarchive/pull/1105/commits/15bf44
libarchive 3.3.3 libarchive CVE-2018-1000878 MEDIUM 6.8 HIGH 8.8 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains https://github.com/libarchive/libarchive/pull/1105/commits/bfcfe6f https://github.com/libarchive/libarchive/pull/1105/commits/bfcfe6f
libarchive 3.3.3 libarchive CVE-2018-1000877 MEDIUM 6.8 HIGH 8.8 libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains https://github.com/libarchive/libarchive/pull/1105/commits/021efa https://github.com/libarchive/libarchive/pull/1105/commits/021efa
libidn2 2.0.5 gnu CVE-2019-12290 MEDIUM 5.0 HIGH 7.5 GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A- https://gitlab.com/libidn/libidn2/merge_requests/71 https://gitlab.com/libidn/libidn2/merge_requests/71
libidn2 2.0.5 gnu CVE-2019-18224 HIGH 7.5 CRITICAL 9.8 idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a0506 https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-
libpcap 1.8.1 tcpdump CVE-2019-15165 MEDIUM 5.0 MEDIUM 5.3 sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory. https://github.com/the-tcpdump- https://www.tcpdump.org/public-cve-list.txt https://github.com/the-tcpdump-
libpcap 1.8.1 tcpdump CVE-2019-15164 MEDIUM 5.0 MEDIUM 5.3 rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source. https://github.com/the-tcpdump- https://www.tcpdump.org/public-cve-list.txt https://github.com/the-tcpdump-
libpcap 1.8.1 tcpdump CVE-2019-15163 MEDIUM 5.0 HIGH 7.5 rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a denial of service (NULL pointer dereference and https://github.com/the-tcpdump- https://github.com/the-tcpdump-group/libpcap/blob/libpcap-
libpcap 1.8.1 tcpdump CVE-2019-15162 MEDIUM 5.0 MEDIUM 5.3 rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provides details about why authentication failed, https://github.com/the-tcpdump- https://www.tcpdump.org/public-cve-list.txt https://github.com/the-tcpdump-
libpcap 1.8.1 tcpdump CVE-2019-15161 MEDIUM 5.0 MEDIUM 5.3 rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length values because of reuse of a variable. This may https://github.com/the-tcpdump- https://www.tcpdump.org/public-cve-list.txt https://github.com/the-tcpdump-
libsolv 0.6.35 opensuse CVE-2018-20533 MEDIUM 4.3 MEDIUM 6.5 There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv https://github.com/openSUSE/libsolv/pull/291 https://github.com/openSUSE/libsolv/pull/291
libsolv 0.6.35 opensuse CVE-2018-20532 MEDIUM 4.3 MEDIUM 6.5 There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 https://github.com/openSUSE/libsolv/pull/291 https://github.com/openSUSE/libsolv/pull/291
libsolv 0.6.35 opensuse CVE-2021-3200 MEDIUM 4.3 MEDIUM 6.5 Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char https://github.com/yangjiageng/PoC/blob/master/libsolv-
libsolv 0.6.35 opensuse CVE-2019-20387 MEDIUM 5.0 HIGH 7.5 repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6 https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6
libsolv 0.6.35 opensuse CVE-2018-20534 MEDIUM 4.3 MEDIUM 6.5 ** DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a https://github.com/openSUSE/libsolv/pull/291 https://github.com/openSUSE/libsolv/pull/291
libxml2 2.9.8 xmlsoft CVE-2019-19956 MEDIUM 5.0 HIGH 7.5 xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc- https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683 https://lists.debian.org/debian-lts-
libxml2 2.9.8 xmlsoft CVE-2021-3517 HIGH 7.5 HIGH 8.6 There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to https://bugzilla.redhat.com/show_bug.cgi?id=1954232 https://bugzilla.redhat.com/show_bug.cgi?id=1954232
libxml2 2.9.8 xmlsoft CVE-2021-3518 MEDIUM 6.8 HIGH 8.8 There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by https://bugzilla.redhat.com/show_bug.cgi?id=1954242 https://lists.fedoraproject.org/archives/list/package-
libxml2 2.9.8 xmlsoft CVE-2021-3537 MEDIUM 4.3 MEDIUM 5.9 A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML https://bugzilla.redhat.com/show_bug.cgi?id=1956522 https://bugzilla.redhat.com/show_bug.cgi?id=1956522
libxml2 2.9.8 xmlsoft CVE-2018-14567 MEDIUM 4.3 MEDIUM 6.5 libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054 https://usn.ubuntu.com/3739-1/
libxml2 2.9.8 xmlsoft CVE-2018-14404 MEDIUM 5.0 HIGH 7.5 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through https://gitlab.gnome.org/GNOME/libxml2/issues/10 https://bugzilla.redhat.com/show_bug.cgi?id=1595985
libxml2 2.9.8 xmlsoft CVE-2018-9251 LOW 2.6 MEDIUM 5.3 The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of https://bugzilla.gnome.org/show_bug.cgi?id=794914
lighttpd 1.4.51 lighttpd CVE-2019-11072 HIGH 7.5 CRITICAL 9.8 ** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a https://redmine.lighttpd.net/issues/2945 https://redmine.lighttpd.net/issues/2945
miniupnpd 1.9 miniupnp_project CVE-2019-12111 MEDIUM 5.0 HIGH 7.5 A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in https://www.vdoo.com/blog/security-issues-discovered-in- https://www.vdoo.com/blog/security-issues-discovered-in-
miniupnpd 1.9 miniupnp_project CVE-2017-1000494 MEDIUM 4.6 HIGH 7.8 Uninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an https://github.com/miniupnp/miniupnp/commit/7aeb624b44f86d3 https://github.com/miniupnp/miniupnp/issues/268
miniupnpd 1.9 miniupnp_project CVE-2017-8798 HIGH 7.5 CRITICAL 9.8 Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a http://miniupnp.free.fr/files/changelog.php?file=miniupnpc- https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798
nettle 3.4 nettle_project CVE-2021-20305 MEDIUM 6.8 HIGH 8.1 A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, https://bugzilla.redhat.com/show_bug.cgi?id=1942533 https://bugzilla.redhat.com/show_bug.cgi?id=1942533
nettle 3.4 nettle_project CVE-2018-16869 LOW 3.3 MEDIUM 5.7 A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian http://cat.eyalro.net/
openssh 7.8 openbsd CVE-2021-28041 MEDIUM 4.6 HIGH 7.1 ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as https://github.com/openssh/openssh- https://www.openssh.com/txt/release-8.5 https://github.com/openssh/openssh-
openssh 7.8 openbsd CVE-2020-15778 MEDIUM 6.8 HIGH 7.8 ** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as https://www.openssh.com/security.html https://github.com/cpandya2909/CVE-2020-15778/
openssh 7.8 openbsd CVE-2020-14145 MEDIUM 4.3 MEDIUM 5.9 The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the http://www.openwall.com/lists/oss-security/2020/12/02/1 http://www.openwall.com/lists/oss-security/2020/12/02/1
openssh 7.8 openbsd CVE-2019-16905 MEDIUM 4.4 HIGH 7.8 OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication https://cvsweb.openbsd.org/cgi- https://cvsweb.openbsd.org/cgi- https://0day.life/exploits/0day-1009.html
openssh 7.8 openbsd CVE-2019-6111 MEDIUM 5.8 MEDIUM 5.9 An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server http://www.securityfocus.com/bid/106741
openssh 7.8 openbsd CVE-2019-6110 MEDIUM 4 MEDIUM 6.8 In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in- https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://security.gentoo.org/glsa/201903-16
openssh 7.8 openbsd CVE-2019-6109 MEDIUM 4 MEDIUM 6.8 An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://lists.debian.org/debian-lts-
openssh 7.8 openbsd CVE-2018-20685 LOW 2.6 MEDIUM 5.3 In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the https://cvsweb.openbsd.org/cgi- http://www.securityfocus.com/bid/106531
openssh 7.8 openbsd CVE-2018-15919 MEDIUM 5 MEDIUM 5.3 Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect http://seclists.org/oss-sec/2018/q3/180 http://seclists.org/oss-sec/2018/q3/180
openssl 1.1.1b openssl CVE-2021-3449 MEDIUM 4.3 MEDIUM 5.9 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9f https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9f https://tools.cisco.com/security/center/content/CiscoSecurityAdvi
openssl 1.1.1b openssl CVE-2021-23841 MEDIUM 4.3 MEDIUM 5.9 The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122 https://www.openssl.org/news/secadv/20210216.txt https://www.debian.org/security/2021/dsa-4855
openssl 1.1.1b openssl CVE-2021-23840 MEDIUM 5 HIGH 7.5 Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a5 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a5 https://www.debian.org/security/2021/dsa-4855
openssl 1.1.1b openssl CVE-2020-1971 MEDIUM 4.3 MEDIUM 5.9 The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f96 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f96 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA
openssl 1.1.1b openssl CVE-2019-1551 MEDIUM 5 MEDIUM 5.3 There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419 http://lists.opensuse.org/opensuse-security-announce/2020-
openssl 1.1.1b openssl CVE-2019-1563 MEDIUM 4.3 LOW 3.7 In situations where an attacker receives automated notification of the success or failure of a decryption attempt an https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=082 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=082
openssl 1.1.1b openssl CVE-2019-1549 MEDIUM 5 MEDIUM 5.3 OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0
openssl 1.1.1b openssl CVE-2019-1547 LOW 1.9 MEDIUM 4.7 Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c https://arxiv.org/abs/1909.01785
openssl 1.1.1b openssl CVE-2019-1552 LOW 1.9 LOW 3.3 OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54a https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54a
openssl 1.1.1b openssl CVE-2019-1543 MEDIUM 5.8 HIGH 7.4 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee2 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee2
openssl 1.1.1b openssl CVE-2019-0190 MEDIUM 5 HIGH 7.5 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20190125-0001/
openssl 1.1.1b openssl CVE-2009-3767 MEDIUM 4.3 N/A N/A libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o. http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o. http://lists.apple.com/archives/security-
openssl 1.1.1b openssl CVE-2009-3766 MEDIUM 6.8 N/A N/A mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name http://dev.mutt.org/trac/ticket/3087 http://dev.mutt.org/trac/ticket/3087 http://marc.info/?l=oss-security&m=125198917018936&w=2
openssl 1.1.1b openssl CVE-2009-3765 MEDIUM 6.8 N/A N/A mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '0' character in a domain
openssl 1.1.1b openssl CVE-2009-1390 MEDIUM 6.8 N/A N/A Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a
openssl 1.1.1b openssl CVE-2007-5536 MEDIUM 4.9 N/A N/A Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to http://h20000.www2.hp.com/bizsupport/TechSupport/Document.j
perl 5.24.4 perl CVE-2020-12723 MEDIUM 5.0 HIGH 7.5 regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3 https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
perl 5.24.4 perl CVE-2020-10878 HIGH 7.5 HIGH 8.6 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3 https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
perl 5.24.4 perl CVE-2020-10543 MEDIUM 6.4 HIGH 8.2 Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
perl 5.24.4 perl CVE-2018-18314 HIGH 7.5 CRITICAL 9.8 Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. https://rt.perl.org/Ticket/Display.html?id=131649 https://www.debian.org/security/2018/dsa-4347
perl 5.24.4 perl CVE-2018-18313 MEDIUM 6.4 CRITICAL 9.1 Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb https://www.debian.org/security/2018/dsa-4347
perl 5.24.4 perl CVE-2018-18311 HIGH 7.5 CRITICAL 9.8 Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b https://www.debian.org/security/2018/dsa-4347
perl 5.24.4 perl CVE-2018-18312 HIGH 7.5 CRITICAL 9.8 Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid https://rt.perl.org/Public/Bug/Display.html?id=133423 https://www.debian.org/security/2018/dsa-4347
perl 5.24.4 perl CVE-2018-12015 MEDIUM 6.4 HIGH 7.5 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection https://security.netapp.com/advisory/ntap-20180927-0001/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
perl 5.24.4 perl CVE-2018-6913 HIGH 7.5 CRITICAL 9.8 Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute https://rt.perl.org/Public/Bug/Display.html?id=131844 https://www.debian.org/security/2018/dsa-4172
perl 5.24.4 perl CVE-2018-6798 MEDIUM 5.0 HIGH 7.5 An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause https://rt.perl.org/Public/Bug/Display.html?id=132063 https://www.debian.org/security/2018/dsa-4172
perl 5.24.4 perl CVE-2018-6797 HIGH 7.5 CRITICAL 9.8 An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer https://rt.perl.org/Public/Bug/Display.html?id=132227 https://rt.perl.org/Public/Bug/Display.html?id=132227 https://www.debian.org/security/2018/dsa-4172
perl 5.24.4 perl CVE-2016-1246 MEDIUM 5.0 HIGH 7.5 Buffer overflow in the DBD::mysql module before 4.037 for Perl allows context-dependent attackers to cause a denial https://github.com/perl5-dbi/DBD- http://blogs.perl.org/users/mike_b/2016/10/security-release--- http://blogs.perl.org/users/mike_b/2016/10/security-release---
perl 5.24.4 perl CVE-2016-6185 MEDIUM 4.6 HIGH 7.8 The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which https://rt.cpan.org/Public/Bug/Display.html?id=115808 http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 https://lists.fedoraproject.org/archives/list/package-
perl 5.24.4 perl CVE-2011-3599 MEDIUM 5.8 N/A N/A The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the https://rt.cpan.org/Public/Bug/Display.html?id=71421 http://secunia.com/advisories/46275
perl 5.24.4 perl CVE-2011-2201 MEDIUM 4.3 N/A N/A The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511
perl 5.24.4 perl CVE-2010-1168 HIGH 7.5 N/A N/A The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) http://www.redhat.com/support/errata/RHSA-2010-0457.html
perl 5.24.4 perl CVE-2009-1884 MEDIUM 4.3 N/A N/A Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows http://www.securityfocus.com/bid/36082 http://secunia.com/advisories/36386
perl 5.24.4 perl CVE-2009-0663 HIGH 7.5 N/A N/A Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context- http://security.debian.org/pool/updates/main/libd/libdbd-pg-
systemd 239 freedesktop CVE-2020-13776 MEDIUM 6.2 MEDIUM 6.7 systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by https://github.com/systemd/systemd/issues/15985
systemd 239 freedesktop CVE-2020-1712 MEDIUM 4.6 HIGH 7.8 A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries https://github.com/systemd/systemd/commit/ea0d0ede03c6f18db https://github.com/systemd/systemd/commit/ea0d0ede03c6f18db
systemd 239 freedesktop CVE-2019-20386 LOW 2.1 LOW 2.4 An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm https://github.com/systemd/systemd/commit/b2774a3ae692113e https://github.com/systemd/systemd/commit/b2774a3ae692113e
systemd 239 freedesktop CVE-2018-21029 HIGH 7.5 CRITICAL 9.8 ** DISPUTED ** systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over https://github.com/systemd/systemd/blob/v243/src/resolve/resolv https://github.com/systemd/systemd/issues/9397
systemd 239 freedesktop CVE-2019-3844 MEDIUM 4.6 HIGH 7.8 It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844
systemd 239 freedesktop CVE-2019-3843 MEDIUM 4.6 HIGH 7.8 It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843
systemd 239 freedesktop CVE-2019-6454 MEDIUM 4.9 MEDIUM 5.5 An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates https://github.com/systemd/systemd/commits/master/src/libsyste https://www.debian.org/security/2019/dsa-4393
systemd 239 freedesktop CVE-2018-16865 MEDIUM 4.6 HIGH 7.8 An allocation of memory without limits, that could result in the stack clashing with another memory region, was https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16865 https://www.qualys.com/2019/01/09/system-down/system-
systemd 239 freedesktop CVE-2018-16864 MEDIUM 4.6 HIGH 7.8 An allocation of memory without limits, that could result in the stack clashing with another memory region, was https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16864 https://www.qualys.com/2019/01/09/system-down/system-
systemd 239 freedesktop CVE-2018-16866 LOW 2.1 LOW 3.3 An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16866 https://www.qualys.com/2019/01/09/system-down/system-
systemd 239 freedesktop CVE-2018-15688 HIGH 7.5 CRITICAL 9.8 A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap https://github.com/systemd/systemd/pull/10518 https://github.com/systemd/systemd/pull/10518
systemd 239 freedesktop CVE-2018-15687 LOW 1.9 MEDIUM 4.7 A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on https://github.com/systemd/systemd/pull/10517/commits https://github.com/systemd/systemd/pull/10517/commits
systemd 239 freedesktop CVE-2018-15686 HIGH 10.0 CRITICAL 9.8 A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution https://github.com/systemd/systemd/pull/10519 https://github.com/systemd/systemd/pull/10519
tinyproxy 1.8.3 tinyproxy_project CVE-2017-11747 LOW 2.1 MEDIUM 5.5 main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root https://github.com/tinyproxy/tinyproxy/issues/106 https://github.com/tinyproxy/tinyproxy/issues/106
dbus 1.2.10 freedesktop CVE-2019-12749 LOW 3.6 HIGH 7.1 dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in https://www.openwall.com/lists/oss-security/2019/06/11/2
dbus 1.2.10 freedesktop CVE-2011-2533 LOW 3.3 N/A N/A The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink
完成开源软件风险清单…..初步版本
Data Fields
Supplier Name
Component Name
Version of the Component
Risk Information
+
后续追踪?
漏洞更新?

开源软件风险管理三个重点
建立开源软件风险清单
产品风险追踪管理
建立软件物料清单(SBOM)
• 开源套件CVE漏洞
• 开源套件授权问题

• NVD CVE漏洞关联分析
• 提供漏洞建议解决⽅案
Open Source
Vulnerability Analysis
开源软件清单
OSS漏洞分析
…
CVSS(CVE)漏洞评级
漏洞情资数据库
自动关联软件清单CVE漏洞、建立软件风险清单(CBOM)
支援
CPE汇入

透过固件扫描全方位找出产品风险
第三方程式包含许多开源软件的风险，并且以二进制(Binary)的格式方式进行散布，
最终使用的企业往往难以取得原始码(Source Code)。透过SecSAM固件扫描可全方位
分析产品供应链中可能存在之风险。
精确定义与产品相关之风险
透过最终编译的Binary code
进行扫描，确保得到的信息为
产品真正的最终状态，减少
False Positive的出现机率，
有效避免错误信息造成的不便。
开源软件
外包开发(固件)
商用套装软件
开源软件
外包开发(固件)
商用套装软件

• Binary特征值⽐对引擎
• 可分析多种⼆进制⽂件格式
• ⾃动分析软件组成
Binary Analysis
Binary Analysis 组成分析
开源软件清单
• 开源软件原始码特征值分析
• 持续更新开源软件特征值
Binary特征值数据库
软件组成分析工具
透过固件档案、可执行文件之扫描
自动分析出软件组件组成。
VM
Image
Binary
File

Binary Analysis 授权分析
• OSS授权分类扫描
• ⾼风险授权分析
License Type
Analysis
分析软件中存在之授权种类
授权情资数据库
自动清查软件组件之授权及风险
⾼诉讼风险列表
分析软件中存在之授权种类
找出产品中曾被SFC、
McHardy等诉讼提告过之相关
产品
VM
Image
Binary
File

• CI/CD整合
• 新漏洞警示、通报

产品风险追踪管理 CI/CD Integration
透过缺陷追踪软件进行CI/CD整合，自动更新
漏洞修复状态

实时漏洞信息
• 每日更新漏洞数据库
漏洞情资数据库
实时通报最新产品相关漏洞信息
SBOM
Product
Componet

• 标准SBOM格式(SWID)
• 自定义SBOM

SBOM 标准
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
name="asoftware"
tagId="acme/asoftware@1.1"
version="1.1">
<Entity name="acme" role="tagCreator softwareCreator" />
<Link href="swid:bob/browser@2.1" rel="requires" />
<Link href="swid:bingo/buffer@2.2" rel="requires" />
<Payload xmlns:sha512="http://www.w3.org/2001/04/xmlenc#sha512">
<File name="acme-asoftware-1.1.exe"
sha512:hash="BC55DEF84538898754536AE47CC907387B8F61D9ACD7D3FB8B8A624199682C8FBE6D16310
88AE6A322CDDC4252D3564655CB234D3818962B0B75C35504D55689" />
</Payload>
</SoftwareIdentity>
name="browser"
tagId="bob/browser@2.1"
version="2.1">
<Entity name="bob" role="tagCreator softwareCreator" />
<Link href="swid:carol/compressionEng@2.2" rel="requires" />
<File name="bob-browser-2.1.exe"
sha512:hash="FF4893471E763B94165CC277A9FB01D7ED66256FDDD6467D91E35AFF8F445C6312832FD97
DE1FD517606019BDC5F46E9E4E4814601E1FCB1010E90C2EBE54820" />
</Payload>
</SoftwareIdentity>
name="buffer"
tagId="bingo/buffer@2.2"
version="2.2">
<Entity name="bingo" role="tagCreator softwareCreator" />
<File name="bingo-buffer-2.2.lib"
sha512:hash="AEE705CEAFDBA5EE54462443E41A447FDA69BEDCB57FC4C284D41AD67C7499A8F10C3B7D5
04A118986A3DF29564B3BD64B783C3B18BFA0F2AA4C779477A9D0D8" />
</Payload>
</SoftwareIdentity>
name="compressionEng"
tagId="carol/compressionEng@3.1"
version="3.1">
<Entity name="carol" role="tagCreator softwareCreator" />
<File name="carol-compressionEng-3.1.lib"
sha512:hash="BEB0E94E089B34DADA04A53A38AE268672CA69ABB34C79E14B446D0DD5F55BE034FC9F9D7
DDF0655CDCDAB878604625805648FADA6E897541F483B2E92AE424C" />
</Payload>
</SoftwareIdentity>
SWID SPDX
Ref:https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
Ref:https://blog.adolus.com/blog/ntia-publishes-minimum-components-of-an-sbom:

产出SBOM并提供可视化界面浏览
Export XML file
(SWID format)

自定义SBOM模板
自定义SBOM模板

DEMO
03

如何让开源软件用得更放心

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Similar to 如何让开源软件用得更放心

Similar to 如何让开源软件用得更放心 (20)

Recently uploaded

Recently uploaded (20)

如何让开源软件用得更放心