Update nexus: fix conflicts and sync local changes

wiki/concepts/SCA.md

@@ -1,71 +1,71 @@
-# SCA (Software Composition Analysis)
-
-## Definition
-SCA tools focus on the various software components of an application, including libraries and frameworks, to find known security flaws. They help reveal vulnerabilities that may occur when using third-party components.
-
-## Aliases
-- Software Composition Analysis
-- Dependency Analysis
-- Open Source Security
-
-## Characteristics
-- **依赖分析**：扫描应用的所有第三方组件
-- **已知漏洞匹配**：与 CVE/NVD 数据库匹配
-- **许可证合规**：检查开源许可证合规性
-- **供应链安全**：关注依赖链中的安全问题
-
-## What SCA Detects
-- **已知漏洞**（Known Vulnerabilities）
-  - CVEs in dependencies
-  - Security advisories
-- **过时组件**（Outdated Dependencies）
-  - Known vulnerabilities in old versions
-  - Missing security patches
-- **许可证问题**（License Issues）
-  - GPL/AGPL restrictions
-  - Incompatible licenses
-- **高风险依赖**（Risky Dependencies）
-  - Unmaintained packages
-  - Malicious packages
-
-## Common CVE Databases
-- National Vulnerability Database (NVD)
-- GitHub Advisory Database
-- Snyk Vulnerability Database
-- OSV (Open Source Vulnerabilities)
-
-## Tools
-- [[Snyk]] — 专注开源安全的 SCA 工具
-- OWASP Dependency-Check
-- WhiteSource (Mend)
-- FOSSA
-- Dependabot (GitHub)
-
-## Integration Points
-- **CI/CD Pipeline**：在构建时自动扫描依赖
-- **IDE**：开发者本地实时检查
-- **Registry Scanning**：容器镜像仓库扫描
-- **SBOM Generation**：软件物料清单生成
-
-## SBOM (Software Bill of Materials)
-SCA 工具常用于生成 SBOM：
-- 完整的依赖列表
-- 版本信息
-- 许可证信息
-- 漏洞状态
-
-## Limitations
-- 仅检测已知漏洞（零日漏洞无法检测）
-- 需要保持漏洞数据库更新
-- 可能产生误报
-
-## Related Concepts
-- [[DevSecOps]] — SCA 是其重要组件
-- [[SAST]] — 静态应用安全测试
-- [[DAST]] — 动态应用安全测试
-- [[Supply-Chain-Security]] — 供应链安全
-- [[SBOM]] — 软件物料清单
-- [[Zero-Day-Vulnerability]] — 零日漏洞
-
-## Sources
-- [[what-is-devsecops-best-practices-benefits-and-tools]]
+# SCA (Software Composition Analysis)
+
+## Definition
+SCA tools focus on the various software components of an application, including libraries and frameworks, to find known security flaws. They help reveal vulnerabilities that may occur when using third-party components.
+
+## Aliases
+- Software Composition Analysis
+- Dependency Analysis
+- Open Source Security
+
+## Characteristics
+- **依赖分析**：扫描应用的所有第三方组件
+- **已知漏洞匹配**：与 CVE/NVD 数据库匹配
+- **许可证合规**：检查开源许可证合规性
+- **供应链安全**：关注依赖链中的安全问题
+
+## What SCA Detects
+- **已知漏洞**（Known Vulnerabilities）
+  - CVEs in dependencies
+  - Security advisories
+- **过时组件**（Outdated Dependencies）
+  - Known vulnerabilities in old versions
+  - Missing security patches
+- **许可证问题**（License Issues）
+  - GPL/AGPL restrictions
+  - Incompatible licenses
+- **高风险依赖**（Risky Dependencies）
+  - Unmaintained packages
+  - Malicious packages
+
+## Common CVE Databases
+- National Vulnerability Database (NVD)
+- GitHub Advisory Database
+- Snyk Vulnerability Database
+- OSV (Open Source Vulnerabilities)
+
+## Tools
+- [[Snyk]] — 专注开源安全的 SCA 工具
+- OWASP Dependency-Check
+- WhiteSource (Mend)
+- FOSSA
+- Dependabot (GitHub)
+
+## Integration Points
+- **CI/CD Pipeline**：在构建时自动扫描依赖
+- **IDE**：开发者本地实时检查
+- **Registry Scanning**：容器镜像仓库扫描
+- **SBOM Generation**：软件物料清单生成
+
+## SBOM (Software Bill of Materials)
+SCA 工具常用于生成 SBOM：
+- 完整的依赖列表
+- 版本信息
+- 许可证信息
+- 漏洞状态
+
+## Limitations
+- 仅检测已知漏洞（零日漏洞无法检测）
+- 需要保持漏洞数据库更新
+- 可能产生误报
+
+## Related Concepts
+- [[DevSecOps]] — SCA 是其重要组件
+- [[SAST]] — 静态应用安全测试
+- [[DAST]] — 动态应用安全测试
+- [[Supply-Chain-Security]] — 供应链安全
+- [[SBOM]] — 软件物料清单
+- [[Zero-Day-Vulnerability]] — 零日漏洞
+
+## Sources
+- [[what-is-devsecops-best-practices-benefits-and-tools]]