sast-scan icon indicating copy to clipboard operation
sast-scan copied to clipboard
verified publisher icon ShiftLeftSecurity

no depscan report generated if no vulnerabilities are found

Open stevesea opened this issue 5 years ago • 2 comments

If I run sast-scan on my project:

docker run --rm \
    -e "SCAN_DEBUG_MODE=debug" \
    -e "VDB_HOME=/db" \
    -e "GITHUB_TOKEN=${GITHUB_TOKEN}" \
    -e "WORKSPACE=${PWD}" \
    -v /tmp/vuln:/db -v ~/.m2:/.m2 -v $(pwd):/app \
    shiftleft/sast-scan \
    scan --src /app --out_dir /app/reports --type java,kotlin,depscan

I see output like:

           DEBUG    ⚡︎ Executing depscan "/usr/local/bin/depscan --no-banner --suggest --src /app --report_file                             
                    /app/reports/depscan-report.json"                                                                                
DEBUG [2020-08-19 19:18:33,051] Vulnerability database loaded from /db/data.vdb
DEBUG [2020-08-19 19:18:35,762] Vulnerability database contains 428485 records
INFO [2020-08-19 19:18:35,762] Performing regular scan for /app using plugin java
INFO [2020-08-19 19:18:35,762] Scanning 7 oss dependencies for issues 
INFO [2020-08-19 19:19:14,159] No oss vulnerabilities detected ✅

But, the /app/reports/depscan-report.json file is not created. Many of the other tools within sast-scan seem to still generate a report if no vulnerabilities are found.

Prior to setting SCAN_DEBUG_MODE=debug, I didn't get any indication from sast-scan output depscan ran and didn't find any issues.

stevesea avatar Aug 19 '20 19:08 stevesea

@stevesea Thanks for reporting this. Few tools such as credscan, python taint do not produce the file with empty results. But agree it will be nice to make it consistent. I will take a look at this. Glad you found the DEBUG_MODE flag. It helps hide the crashes from everyday scans but agree will make the initial diagnosis quite hard.

prabhu avatar Aug 19 '20 19:08 prabhu

@stevesea I will begin work on this requirement this week since this will help implement build breaker support for depscan as well. Meanwhile, as a workaround look for the presence of bom.json file. This file should always get produced with a full list of all oss dependencies. In an ideal world, this file would have also included the vulnerabilities information as well as per cyclonedx specification. When I started building depscan, Google's grafeas project was all craze so I started producing depscan results in grafeas format hoping that users would import results with a standard like SARIF. But looks like grafeas has gone silent (dead?) over time.

prabhu avatar Aug 22 '20 08:08 prabhu