dep-scan v5.1.4 releases: Fully open-source security audit for project dependencies

open-source security audit

dep-scan

dep-scan is a fully open-source security audit tool for project dependencies based on known vulnerabilities, advisories, and licenses limitations. Both local repositories and container images are supported as input. The tool is ideal for CI environments with built-in build breaker logic.

Features

  • Scan most application code – local repos, Linux container images, Kubernetes manifests, and OS – to identify known CVEs with prioritization
  • Perform advanced reachability analysis for multiple languages (See reachability analysis)
  • Package vulnerability scanning is performed locally and is quite fast. No server is used!
  • Generate Software Bill-of-Materials (SBOM) with Vulnerability Disclosure Report (VDR) information
  • Generate a Common Security Advisory Framework (CSAF) 2.0 VEX document (check out the CSAF Readme)
  • Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)

NOTE:

  • [1] Only application-related packages in container images are included in scanning. OS packages are not included yet.

Supported languages and package format

dep-scan uses cdxgen command internally to create a Software Bill-of-Materials (SBoM) file for the project. This is then used for performing the scans.

The following projects and package-dependency format is supported by cdxgen.

Language Package format
node.js package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js
java maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt)
php composer.lock
python setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel
go go.mod, go.sum, Gopkg.lock, binary
ruby Gemfile.lock, gemspec
rust Cargo.toml, Cargo.lock
.Net Framework .csproj, packages.config
.Net core .csproj, packages.config
docker / oci image All supported languages excluding OS packages

NOTE

The docker image for dep-scan currently doesn’t bundle suitable java and maven commands required for BOM generation. To work around this limitation, you can –

  1. Use python-based execution from a VM containing the correct versions for java, maven, and gradle.
  2. Generate the bom file by invoking the cdxgen command locally and subsequently passing this to dep-scan via the –bom argument.

Changelog v5.1.4

  • chore: Add a table of contents at the beginning of README.md by @cerrussell in #200
  • Better logic to silence all logging from external modules by @prabhu in #201

Install & Use

Copyright (c) 2023 OWASP Foundation