osv-detector
osv-detector copied to clipboard
G-Rath
This adds a `--update-config-ignores` flag that aims to update the osv-detector configs to ignore all found vulnerabilities for the related lockfile if a config exists. For now I'm keeping this...
Originally I called this `osv-detector` because I felt "auditor" and "scanner" were a bit overloaded, and I was considering if this was to be published as a package somewhere, `osv-detector`...
Sometimes it could be unnecessary to scan dev or build deps so such option can be useful.
OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed to use in the application security contexts and supply chain component analysis. CycloneDX is an OWASP flagship project...
We should have a JSON schema for validating `.osv-detector` configs.
Gems can be in the lockfile multiple times if they have different platforms - we're actually already supporting parsing this out, but currently we ignore the platform; this results in...
#94 adds support for using the `osv.dev` API which supports commits as well as versions - so we should make sure the manifest parsers are able to extract this information...
I am one of the maintainers of https://github.com/ossf/scorecard which is an OSS project which helps in identifying security issues in OSS. We have a check for https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities and would like...
https://endoflife.date/ provides a bunch of EOL dates, maintained by the general community and it has an api! In theory, we could use this with `osv-detector`: since it knows the packages...