dep-scan icon indicating copy to clipboard operation
dep-scan copied to clipboard

Published 20 hours ago verified publisher icon owasp-dep-scan

Ask: Can depscan become more flexible?

Open prabhu opened this issue 2 years ago • 0 comments

Continuation of https://github.com/AppThreat/dep-scan/issues/79

Why can't depscan support multiple scanning engines such as dependency track and others, including commercial tools? When provided with arguments to the external scanner, the tool could create a new submission and operate as a client instead of performing its analysis with vulnerability-db.

So the flow would be.

CI ==> depscan ==> dependency track (API) ==> vex

CI ==> depscan ==> Commercial Scanner (API) ==> vex

In a microservices/k8s environment, the flow could be

API client ==> depscan server (API) ==> dependency track (API) ==> vex
               \\
                <==> cdxgen server (API)


API client ==> depscan server (API) ==> Commercial Scanner (API) ==> vex
               \\
                <==> cdxgen server (API)

Attestation flows

API client ==> depscan server (API) ==> dependency track (API) ==> vex
               \\                                                  \\
                <==> cdxgen server (API)                            <==> Signed/attested vex

prabhu avatar Jan 31 '23 20:01 prabhu