dep-scan
dep-scan copied to clipboard
owasp-dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...
As of now vulndb data is being used by dep-scan but it's storing the data on storage volume which is not ideal for it's size. Especially in production environment. So...
I have scanned a vulnerable log4j repo just for testing and found that `CVE-2021-44228` is considered as low severity. Repository used for scanning: https://github.com/christophetd/log4shell-vulnerable-app Attaching the screenshot for reference:
Support for Bom with VEX https://cyclonedx.org/docs/1.4/json/#vulnerabilities
Let's see how dep-scan stacks up against a multi-billion company. https://gitlab.com/gitlab-org/security-products/tests/dependency-scanning
 I'm trying to scan a java multiproject. But I doesn't obtain a result. I'm using a simple command: depscan --src $PWD...
Hi, I'm using https://github.com/AppThreat/dep-scan-action on some of my repos and it started to fail today with the following error: ```python ___ _____ _ _ / _ \ |_ _| |...
It is not clear if the risk audit feature of dep-scan caught the ua-parser.js attack. My guess is that it should've checked for the presence of the preinstall script and...
dep-scan use a rudimentary vendor and package name alias to fix misfiled CVEs. However, some CVEs are terribly filed with no version number information and even missing CPEs. We need...
Noticed that some node.js apps have package.json entries for built-in packages, which is risky. Possible issues in the python world too.
Metadata
Owner
Metadata
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...