dep-scan
dep-scan copied to clipboard
owasp-dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...
The package name http is matching several CVEs belonging to other ecosystems. Aliasing must be tuned down for cargo packages. ``` Dependency Scan Results (RUST) ╔════════════════════════════════════════════════════════════════╤════════════════════════════════════╤════════════════════╤═══════════════╤═════════╗ ║ Dependency Tree │...
### PURL of wrongly matched component pkg:pypi/[email protected] ### Depscan findings P.S. the latest version of pypi/gitlab is 1.0.2 (https://pypi.org/project/gitlab/1.0.2/#history). But depscan thinks that this pypi package == gitlab version, but...
### PURL of wrongly matched component [stats-github.ods](https://github.com/owasp-dep-scan/dep-scan/files/14874571/stats-github.ods) [depscan-bom.json](https://github.com/owasp-dep-scan/dep-scan/files/14874576/depscan-bom.json) [sbom-source-syft(1).json](https://github.com/owasp-dep-scan/dep-scan/files/14874577/sbom-source-syft.1.json) ### Depscan findings Of course, the method for determining FN may not be correct enough, since in some cases I determined...
Update vdb to fix pypi false positive. Fixes #281
### Request Description Hello! I'm just curious about how often the vulnerability database updates, I've looked through the help CLI command, OWASP page, git page and even the source code...
vdb6 is [switching](https://github.com/AppThreat/vulnerability-db/pull/107) to a sqlite db from the current file-based one. xz compression seems to be performing well with sqlite compared to nydus rafs - 174MB vs 496MB with...
Since vdb6 supports search by cpe, let's add it to depscan as well
We currently use forward-reachability analysis based on automatic tags, by default. We could offer options to use backward-reachability or analyzing based on arbitrary input and out tags.
### Expected Behavior When Dockerized `deepscan` should generate the .json file as well. ### Actual Behavior When running as described in the documentation, I can find a `/tmp/report-docker.json` file output...
This is a bit tricky since the download url is constructed in one place and passed to `request-progress` dependency to perform the actual download. https://github.com/Medium/phantomjs/blob/master/package.json#L38 https://github.com/Medium/phantomjs/blob/af7ba2a4e3b51f835302fafc0091ed2be6a27e1a/lib/util.js#L92 https://github.com/Medium/phantomjs/blob/af7ba2a4e3b51f835302fafc0091ed2be6a27e1a/install.js#L147 https://github.com/Medium/phantomjs/blob/af7ba2a4e3b51f835302fafc0091ed2be6a27e1a/install.js#L227 ``` ❯...
Metadata
Owner
Metadata
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...