conan audit¶
警告
此功能是实验性的,可能会有重大更改。 有关更多信息,请参见Conan 稳定性部分。
Conan 2.14.0 中的新功能
conan audit 命令用于检查您的 Conan 包中已知的漏洞。
请参阅审计 devops 页面以查看如何使用 conan audit 命令的示例。
conan audit scan¶
$ conan audit scan -h
usage: conan audit scan [-h] [-f FORMAT] [--out-file OUT_FILE] [-v [V]]
[-cc CORE_CONF] [--name NAME] [--version VERSION]
[--user USER] [--channel CHANNEL]
[--requires REQUIRES] [--tool-requires TOOL_REQUIRES]
[-b BUILD] [-r REMOTE | -nr] [-u [UPDATE]]
[-pr PROFILE] [-pr:b PROFILE_BUILD]
[-pr:h PROFILE_HOST] [-pr:a PROFILE_ALL] [-o OPTIONS]
[-o:b OPTIONS_BUILD] [-o:h OPTIONS_HOST]
[-o:a OPTIONS_ALL] [-s SETTINGS] [-s:b SETTINGS_BUILD]
[-s:h SETTINGS_HOST] [-s:a SETTINGS_ALL] [-c CONF]
[-c:b CONF_BUILD] [-c:h CONF_HOST] [-c:a CONF_ALL]
[-l LOCKFILE] [--lockfile-partial]
[--lockfile-out LOCKFILE_OUT] [--lockfile-clean]
[--lockfile-overrides LOCKFILE_OVERRIDES]
[--build-require] [-sl SEVERITY_LEVEL] [-p PROVIDER]
[path]
Scan a given recipe for vulnerabilities in its dependencies.
positional arguments:
path Path to a folder containing a recipe (conanfile.py or
conanfile.txt) or to a recipe file. e.g.,
./my_project/conanfile.txt.
options:
-h, --help show this help message and exit
-f FORMAT, --format FORMAT
Select the output format: json, html
--out-file OUT_FILE Write the output of the command to the specified file
instead of stdout.
-v [V] Level of detail of the output. Valid options from less
verbose to more verbose: -vquiet, -verror, -vwarning,
-vnotice, -vstatus, -v or -vverbose, -vv or -vdebug,
-vvv or -vtrace
-cc CORE_CONF, --core-conf CORE_CONF
Define core configuration, overwriting global.conf
values. E.g.: -cc core:non_interactive=True
--name NAME Provide a package name if not specified in conanfile
--version VERSION Provide a package version if not specified in
conanfile
--user USER Provide a user if not specified in conanfile
--channel CHANNEL Provide a channel if not specified in conanfile
--requires REQUIRES Directly provide requires instead of a conanfile
--tool-requires TOOL_REQUIRES
Directly provide tool-requires instead of a conanfile
-b BUILD, --build BUILD
Optional, specify which packages to build from source.
Combining multiple '--build' options on one command
line is allowed. Possible values: --build=never
Disallow build for all packages, use binary packages
or fail if a binary package is not found, it cannot be
combined with other '--build' options. --build=missing
Build packages from source whose binary package is not
found. --build=cascade Build packages from source that
have at least one dependency being built from source.
--build=[pattern] Build packages from source whose
package reference matches the pattern. The pattern
uses 'fnmatch' style wildcards, so '--build="*"' will
build everything from source. --build=~[pattern]
Excluded packages, which will not be built from the
source, whose package reference matches the pattern.
The pattern uses 'fnmatch' style wildcards.
--build=missing:[pattern] Build from source if a
compatible binary does not exist, only for packages
matching pattern. --build=compatible:[pattern]
(Experimental) Build from source if a compatible
binary does not exist, and the requested package is
invalid, the closest package binary following the
defined compatibility policies (method and
compatibility.py)
-r REMOTE, --remote REMOTE
Look in the specified remote or remotes server
-nr, --no-remote Do not use remote, resolve exclusively in the cache
-u [UPDATE], --update [UPDATE]
Will install newer versions and/or revisions in the
local cache for the given reference name, or all
references in the graph if no argument is supplied.
When using version ranges, it will install the latest
version that satisfies the range. It will update to
the latest revision for the resolved version range.
-pr PROFILE, --profile PROFILE
Apply the specified profile. By default, or if
specifying -pr:h (--profile:host), it applies to the
host context. Use -pr:b (--profile:build) to specify
the build context, or -pr:a (--profile:all) to specify
both contexts at once
-pr:b PROFILE_BUILD, --profile:build PROFILE_BUILD
-pr:h PROFILE_HOST, --profile:host PROFILE_HOST
-pr:a PROFILE_ALL, --profile:all PROFILE_ALL
-o OPTIONS, --options OPTIONS
Apply the specified options. By default, or if
specifying -o:h (--options:host), it applies to the
host context. Use -o:b (--options:build) to specify
the build context, or -o:a (--options:all) to specify
both contexts at once. Example:
-o="pkg/*:with_qt=True"
-o:b OPTIONS_BUILD, --options:build OPTIONS_BUILD
-o:h OPTIONS_HOST, --options:host OPTIONS_HOST
-o:a OPTIONS_ALL, --options:all OPTIONS_ALL
-s SETTINGS, --settings SETTINGS
Apply the specified settings. By default, or if
specifying -s:h (--settings:host), it applies to the
host context. Use -s:b (--settings:build) to specify
the build context, or -s:a (--settings:all) to specify
both contexts at once. Example: -s="compiler=gcc"
-s:b SETTINGS_BUILD, --settings:build SETTINGS_BUILD
-s:h SETTINGS_HOST, --settings:host SETTINGS_HOST
-s:a SETTINGS_ALL, --settings:all SETTINGS_ALL
-c CONF, --conf CONF Apply the specified conf. By default, or if specifying
-c:h (--conf:host), it applies to the host context.
Use -c:b (--conf:build) to specify the build context,
or -c:a (--conf:all) to specify both contexts at once.
Example:
-c="tools.cmake.cmaketoolchain:generator=Xcode"
-c:b CONF_BUILD, --conf:build CONF_BUILD
-c:h CONF_HOST, --conf:host CONF_HOST
-c:a CONF_ALL, --conf:all CONF_ALL
-l LOCKFILE, --lockfile LOCKFILE
Path to a lockfile. Use --lockfile="" to avoid
automatic use of existing 'conan.lock' file
--lockfile-partial Do not raise an error if some dependency is not found
in lockfile
--lockfile-out LOCKFILE_OUT
Filename of the updated lockfile
--lockfile-clean Remove unused entries from the lockfile
--lockfile-overrides LOCKFILE_OVERRIDES
Overwrite lockfile overrides
--build-require Whether the provided reference is a build-require
-sl SEVERITY_LEVEL, --severity-level SEVERITY_LEVEL
Set threshold for severity level to raise an error. By
default raises an error for any critical CVSS (9.0 or
higher). Use 100.0 to disable it.
-p PROVIDER, --provider PROVIDER
Provider to use for scanning
conan audit scan 检查给定引用及其传递依赖项中的漏洞。 此命令接收配置文件和设置等配置参数,以控制图形的扩展。
conan audit list¶
$ conan audit list -h
usage: conan audit list [-h] [-f FORMAT] [--out-file OUT_FILE] [-v [V]]
[-cc CORE_CONF] [-l LIST] [-r REMOTE] [-p PROVIDER]
[reference]
List the vulnerabilities of the given reference.
positional arguments:
reference Reference to list vulnerabilities for
options:
-h, --help show this help message and exit
-f FORMAT, --format FORMAT
Select the output format: json, html
--out-file OUT_FILE Write the output of the command to the specified file
instead of stdout.
-v [V] Level of detail of the output. Valid options from less
verbose to more verbose: -vquiet, -verror, -vwarning,
-vnotice, -vstatus, -v or -vverbose, -vv or -vdebug,
-vvv or -vtrace
-cc CORE_CONF, --core-conf CORE_CONF
Define core configuration, overwriting global.conf
values. E.g.: -cc core:non_interactive=True
-l LIST, --list LIST pkglist file to list vulnerabilities for
-r REMOTE, --remote REMOTE
Remote to use for listing
-p PROVIDER, --provider PROVIDER
Provider to use for scanning
conan audit list 命令列出给定引用的漏洞,而不检查其传递依赖项。 您可以传递单个引用,也可以传递包含多个引用的 pkglist 文件。
conan audit provider¶
$ conan audit provider -h
usage: conan audit provider [-h] [-f FORMAT] [--out-file OUT_FILE] [-v [V]]
[-cc CORE_CONF] [--url URL]
[--type {conan-center-proxy,private}]
[--token TOKEN]
{add,list,auth,remove} [name]
Manage security providers for the 'conan audit' command.
positional arguments:
{add,list,auth,remove}
Action to perform from 'add', 'list' , 'remove' or
'auth'
name Provider name
options:
-h, --help show this help message and exit
-f FORMAT, --format FORMAT
Select the output format: json
--out-file OUT_FILE Write the output of the command to the specified file
instead of stdout.
-v [V] Level of detail of the output. Valid options from less
verbose to more verbose: -vquiet, -verror, -vwarning,
-vnotice, -vstatus, -v or -vverbose, -vv or -vdebug,
-vvv or -vtrace
-cc CORE_CONF, --core-conf CORE_CONF
Define core configuration, overwriting global.conf
values. E.g.: -cc core:non_interactive=True
--url URL Provider URL
--type {conan-center-proxy,private}
Provider type
--token TOKEN Provider token
conan audit provider 命令管理用于检查漏洞的提供程序列表。
默认情况下,conan audit 子命令使用 ConanCenter 提供程序,但您可以将自己的提供程序添加到列表中。 目前,除了默认的 ConanCenter 提供程序之外,仅支持私有的 JFrog Security 提供程序,请参阅审计 devops 页面以获取更多信息。
有 3 个子命令: - conan audit provider auth:使用令牌验证提供程序。 - conan audit provider add:将提供程序添加到列表。 - conan audit provider remove:从列表中删除提供程序。
另请参阅
在专门的博客文章中阅读更多内容。