dep-scan

dep-scan copied to clipboard

As per PURL spec, both these fields are optional https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst https://github.com/DependencyTrack/dependency-track/issues/2694

prabhu

No. Your SBoM, VEX and VDR is your business. I would happily reimplement any deps.dev feature that is lacking in dep-scan in a privacy-protecting manner. Thank you, Prabhu

prabhu

Ability to provide a file of asset CPEs to scan

4

Hi I would like to supply a file with list of assets(hardware,operating system,application) to dep-scan as input to scan for vulnerabilities and get matching vluns from NIST. a@MacBook-Air bin %...

jonathangull

Continuation of https://github.com/AppThreat/dep-scan/issues/79 Why can't depscan support multiple scanning engines such as dependency track and others, including commercial tools? When provided with arguments to the external scanner, the tool could...

prabhu

https://blog.trailofbits.com/2023/01/13/sigstore-python/

prabhu

Currently, file names are generated with a bunch of find and replace, which sometimes interferes with directory names. Eg, if the `--reports-dir` contains the word `depscan`, it gets changed to...

prabhu

Benchmark against Trivy and Anchore

1

Well, it's time dep-scan is tested against the other tools to identify gaps. A new workflow is set up to continuously test dep-scan against top docker images. Results are then...

prabhu

We should redo the HTML export logic and bring it to this project directly.

prabhu

Both npm and pypi supports trusted publishing. Need to check if the data is available via the api.

prabhu

Bug: Reachability scan fails

3

### Expected Behavior Report with reachability information is produced ### Actual Behavior depscan ends with error: DEBUG [2024-04-23 06:29:51,230] BOM Profile: research DEBUG [2024-04-23 06:29:51,231] ⚡︎ Executing "cdxgen -r -t...

sjpritchard