FOSSLight Binary Scanner
FOSSLight Binary Scanner searches for a binary and outputs OSS information if there is an identical or similar binary from the Binary DB.
It can analyze the open source info. in ‘.jar' file by using Dependency-check-py.
Github Repository : https://github.com/fosslight/fosslight_binary_scanner
License : Apache-2.0
Contents
📋 Prerequisite
FOSSLight Binary Scanner needs a Python 3.7+.
To use the function to extract OSS information (OSS Name, OSS Version, License) from Binary DB, see the database setting guide.
Java Installation for jar file analysis. (Install Open Source JDK)
🎉 How to install
Method 1. Download the executable file.
Download the executable file suitable for the OS. : https://github.com/fosslight/fosslight_binary_scanner/releases
Method 2. Install fosslight_binary based on Python environment.
It can be installed using pip3.
- (Only for windows) Install Microsoft Build Tools from https://visualstudio.microsoft.com/en/vs/older-downloads/ > Redistributables packages and Build Tools.
- python 3.7 + virtualenv environment setting.
- Install the Python package fosslight_binary.
$ pip3 install fosslight_binary
🚀 How to run
Method 1. If you run it as an executable on windows.
After placing the fosslight_bin_windows.exe file in the path to be analyzed binary, double-click to run it.
Method 2. When executing with command.
$ fosslight_binary [option] <arg>
Options
Options:
-p <binary_path> Path to analyze binaries (Default: current directory)
-h Print help message
-v Print FOSSLight Binary Scanner version
-s Extract only the binary list in simple mode
-e <path> Path to exclude from analysis (files and directories, pattern matching is available)
-o <output_path> Output path
(If you want to generate the specific file name, add the output path with file name.)
-f <format> [<format> ...] Output file formats (excel, csv, opossum, yaml)
Multiple formats can be specified separated by space.
-d <db_url> DB Connection(format :'postgresql://username:password@host:port/database_name')
--notice Print the open source license notice text.
--no_correction Enter if you don't want to correct OSS information with sbom-info.yaml
--correct_fpath <path> Path to the sbom-info.yaml file
📁 Result
$ tree
.
├── fosslight_log_220904_0912.txt
├── fosslight_report_220904_0912.xlsx
└── fosslight_opossum_220904_0912.json
- fosslight_log_[datetime].txt : The execution log.
- fosslight_report_[datetime].xlsx : FOSSLight binary result in FOSSLight Report format.
- If analyzing jar files, ‘Vulnerability Link' Column is added to FOSSLight-Report_[datetime].xlsx file.
- The checksum and tlsh values for each binary are hidden by default.
- fosslight_opossum_[datetime].json : FOSSLight binary Scanner result for OpossumUI
🧐 How it works
-
List up binaries except the following cases.
Excepted case Description symbolic link, FIFO file Unable to read as file open. It causes the FOSSLight Binary Scanner to stop when checking for file type or binary. Non-Binary file extensions ‘qm', ‘xlsx', ‘pdf', ‘pptx', ‘jfif', ‘docx', ‘doc', ‘whl', ‘xls', ‘xlsm', ‘ppt', ‘mp4', ‘pyc', ‘plist', ‘dat', ‘json', ‘js' etc Specific file type Files that begin with ‘data', ‘timezone data', and ‘applebinary property list' Specific path ‘.git' -
Check "Exclude" in FOSSLight Report.
Exclude case Description Binary included in [‘fosslight_bin', ‘fosslight_bin.exe'] - Path included in ["test", "test", "doc", "doc", "docs", "intermediates"] folder Output only the results of the source code or binary included in the actual distribution Hidden folder (folders that begin with ‘.') - Specific file extensions Not final build output (ex, ‘.class') - Extract checksum and tlsh for each binary.
- Load OSS information from Binary DB.
- Create output files.