dep-scan

dep-scan copied to clipboard

### Request Description https://lyz-code.github.io/blue-book/gettext/ ### Additional Information _No response_

prabhu

### Request Description https://github.com/oracle/graalpython ### Additional Information _No response_

prabhu

- [x] Add a table of contents at the top of our ReadMe - [ ] Create a Read the Docs - [ ] Create documentation with sphinx - [...

cerrussell

https://github.com/DependencyTrack/dependency-track/discussions/3159#discussioncomment-7434198 Looks like depscan is not reporting vulnerabilities with the clojars type.

prabhu

https://github.com/nexB/vulnerablecode/tree/main/vulntotal This way, we can compare and improve depscan where possible.

prabhu

https://github.com/DependencyTrack/dependency-track/issues/244

prabhu

Support for suppression

1

A tool like dep-scan inevitably produces false positives due to aliasing and SBoM generation lifecycle. While tools like trivy offer ignore files and rego policies to support advanced [filtering](https://github.com/aquasecurity/trivy/blob/v0.19.2/contrib/example_policy/advanced.rego), depscan...

prabhu

It's time for depscan to inspect the executables bundled in the container image and system locations for anything malicious. The ticket would be updated to discuss the design of the...

prabhu

ASK：how to identify a component is directly or indirecty dependency?

3

Just according to the value of 'scope' (required, optional) in SBOM？ is that accurate？thanks ------------------ ``` if is_required and package_type not in config.OS_PKG_TYPES: package_usage = ":direct_hit: Direct usage" package_name_style =...

jackhj000

Linked issue: https://github.com/CycloneDX/cdxgen/issues/343 I want to replace the privado integration with [AppThreat atom](https://github.com/AppThreat/atom). Unlike Privado, which specializes in data privacy, atom would support more SBoM and Supply Chain use cases.

prabhu