dep-scan
dep-scan copied to clipboard
owasp-dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...
### Expected Behavior SBOM should contain purls with "pkg:golang/..." in it ### Actual Behavior SBOM does not list any golang packages. ### Steps to Reproduce Create container with golang binary....
### PURL of wrongly matched component Rejected by NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24304 But still reported by GitHub and OSV. https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-h8hf-x3f4-xwgp/GHSA-h8hf-x3f4-xwgp.json https://osv.dev/vulnerability/GHSA-h8hf-x3f4-xwgp https://osv.dev/vulnerability/GHSA-f825-f98c-gj3g ### Depscan findings I think depscan or vdb6 could have...
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-fj58-h2fr-3pp2/GHSA-fj58-h2fr-3pp2.json#L73 This CVE has LOW severity on NVD, but flagged as critical by GitHub and OSV. Goes to show the importance of analysis such as Reachability to better identify the...
We can collect a bunch of vulnerable repos, and come up with detailed instructions to perform the various analysis with depscan.
### Expected Behavior Reachability report should be generated as per README or any error should be displayed. ### Actual Behavior Empty report file. Depscan exits showing only banner. ### Steps...
# Changes - Implements snapshot integration testing - Adds recommendation for vulnerabilities in CSAF - Bugfixes for reference and advisory parsing and categorization for BOM VDR and CSAF
### Request Description It would be great to include insights showing indirect dependencies in the `.json` report, similar to the insights currently available in both `HTML` and `CLI` output. ###...
Let's imagine a situation where we import a transitive dependency from the main dependency: import {transitive_dep} from {direct_dep}. In the main dependency, we have transitive dependency export allowed: export {transitive_dep}...
### PURL of wrongly matched component pkg:npm/[email protected] ### Depscan findings Receiving {"id": "CVE-2019-1010266", "package": "npm:lodash", "purl": "pkg:npm/[email protected]", "package_type": "npm", "package_usage": "required", "version": "4.17.21", "fix_version": "4.17.11", "severity": "MEDIUM", "cvss_score": "5.0", "short_description":...
### Expected Behavior Should have downloaded curl -LO https://github.com/appthreat/depscan-bin/releases/latest/download/depscan-linux-amd64 chmod +x depscan-linux-amd64 ./depscan-linux-amd64 --help ### Actual Behavior curl -LO https://github.com/appthreat/depscan-bin/releases/latest/download/depscan-linux-amd64 chmod +x depscan-linux-amd64 ./depscan-linux-amd64 --help issue here not working ###...
Metadata
Owner
Metadata
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container ima...