dep-scan icon indicating copy to clipboard operation
dep-scan copied to clipboard

Published 20 hours ago verified publisher icon owasp-dep-scan

Support for suppression

Open prabhu opened this issue 1 year ago • 1 comments

A tool like dep-scan inevitably produces false positives due to aliasing and SBoM generation lifecycle.

While tools like trivy offer ignore files and rego policies to support advanced filtering, depscan could offer a toml based solution instead.

Regarding file naming and folder structure, it might be wise to adopt dot-config instead of spoiling the root folders of every repo.

https://dot-config.github.io

So suppression lists could be kept under .config/depscan/*.toml with an optional --config-dir to override this directory for integration use cases.

prabhu avatar Jul 01 '23 13:07 prabhu

@prabhu Is there a purpose for the depscan folder under .config since dot-config is talking about a .config directory at the repository level?

To clarify the --config-dir option, should this be to not use a suppression list or do you mean an alternative toml path to load?

cerrussell avatar Jul 31 '23 05:07 cerrussell