dep-scan icon indicating copy to clipboard operation
dep-scan copied to clipboard

Published 20 hours ago verified publisher icon owasp-dep-scan

[v6] Feature: disable use of remote audit by default

Open prabhu opened this issue 1 year ago • 2 comments

Request Description

For npm, the remote audit is enabled by default to avoid false negatives. Let's make this in an opt-in in v6 to prefer offline-only first.

Additional Information

How do we deal with the fact that we might miss legitimate malware since the vdb is rebuilt only every x hours or so, and users might forget to refresh the database periodically?

prabhu avatar Feb 11 '24 17:02 prabhu

@prabhu I had started on a config file for depscan that would include allowing the user to set a setting to periodically update vdb at a user-specified interval. My thought was that we could also store the date/time of the last update and log that info at the beginning of every scan so that the user would be aware.

How about I return to this and add to v6... there are other things I want to incorporate into it when I have time, but this part is quite easy.

cerrussell avatar Feb 14 '24 19:02 cerrussell

Thanks @cerrussell. Adding this to the config file is a good idea.

prabhu avatar Feb 14 '24 19:02 prabhu