dep-scan
dep-scan copied to clipboard
owasp-dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...
### Request Description https://github.com/nushell/nushell/blob/main/crates/nu_plugin_python/nu_plugin_python_example.py ### Additional Information _No response_
### Request Description 1. In this moment like I know depscan can generate reports only in html and json, but this json not complete and don't have all information that...
### Request Description For npm, the remote audit is enabled by default to avoid false negatives. Let's make this in an opt-in in v6 to prefer offline-only first. ### Additional...
### PURL of wrongly matched component pkg:gem/[email protected] ### Depscan findings Other than the phrase `wrongly reported as a security vulnerability`, there is nothing in the API or attributes that give...
### Request Description cdxgen has become slow with some queries. https://github.com/CycloneDX/cdxgen/issues/8274 depscan then gets confused with some data and swid components resulting in serious amount of false positives. A first...
Hi, dep-scan supports different profiles: `appsec`, `generic`, `operational` and etc. Can you please add some documentation about differences and cases where I should use each one? (and also which profile...
### Request Description We seem to be incorrectly flagging spring and log4j packages as "Indirect dependency" by only looking at the dependency tree. We could have a way to define...
Why can't dep-scan accept existing vulnerability data in vex and other formats and prioritize it by understanding the application context? The key differentiation aspects of dep-scan are the CVE insights...
We have a couple of inconsistencies with the file extensions. - [x] We use .vex.json even when the information is VDR and not VEX. - [ ] We use .json...
Metadata
Owner
Metadata
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...