owasp-depscan 4.2.8__py3-none-any.whl → 4.3.0__py3-none-any.whl

{owasp_depscan-4.2.8.dist-info → owasp_depscan-4.3.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.8
+Version: 4.3.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -14,17 +14,19 @@ Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Security
 Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db >=5.4.2
+Requires-Dist: appthreat-vulnerability-db >=5.5.1
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black ; extra == 'dev'
 Requires-Dist: flake8 ; extra == 'dev'
@@ -45,6 +47,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
 - Package vulnerability scanning is performed locally and is quite fast. No server is used!
 - Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information
+- Generate a Common Security Advisory Framework (CSAF) 2.0 document (check out the [CSAF Readme](contrib/CSAF_README.md))
 - Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)
 
 ![Dependency Tree with Insights](docs/tree1.jpg)
@@ -171,24 +174,33 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
-              [--reports-dir REPORTS_DIR] [--no-error] [--deep]
+usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
+               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+
+options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
+  --csaf                Generate a CSAF
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma
-                        separated values accepted.
+                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
   --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
-  -i SRC_DIR, --src SRC_DIR
-                        Source directory
+  -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
+                        Source directory or container image or binary file
+  -o REPORT_FILE, --report_file REPORT_FILE
+                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
   --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
   --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
   --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
@@ -200,6 +212,16 @@ usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit]
                         ThreatDB password
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
+  --privado-json PRIVADO_JSON
+                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+  --server              Run depscan as a server
+  --server-host SERVER_HOST
+                        depscan server host
+  --server-port SERVER_PORT
+                        depscan server port
+  --cdxgen-server CDXGEN_SERVER
+                        cdxgen server url. Eg: http://cdxgen:9090
+  -v, --version         Display the version
 ```
 
 ### Scanning containers locally (Python version)

{owasp_depscan-4.2.8.dist-info → owasp_depscan-4.3.0.dist-info}/RECORD

@@ -1,10 +1,11 @@
 depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/cli.py,sha256=YLWItzDxTTLGt_IF9lJd6_MN_bNrncrsrg-FuDpF9A4,28891
+depscan/cli.py,sha256=G-vLKjBr4hb9T6YmG3lybhngKalq9MSZsf92AOmQURY,30514
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 depscan/lib/analysis.py,sha256=TIK0TuyxOng7VbDdweTndyouwMHDoTo-JjjzxOTiCxk,42085
 depscan/lib/audit.py,sha256=rUkrlioaACfKXb7rLhJoSH4F3btpWLQ6OoSFwV0H62w,1246
-depscan/lib/bom.py,sha256=p3M42oneJYHHUzrkfFDjWSKaWRTIUJtoZhEEbs3yWsE,16210
+depscan/lib/bom.py,sha256=_d_ITu2-aFGerqekIFlQiDhFxKdB5C83bFod7YFxldo,16247
 depscan/lib/config.py,sha256=9tyjo6uNdlJWyNNVfYD5tEt1wWexEyImMmuO8bK9Yns,12562
+depscan/lib/csaf.py,sha256=jG25NAjdCtn9GIKkJ25oh3rssjkut3VYxhCY_V9AXpE,80939
 depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
 depscan/lib/logger.py,sha256=PdGrJstLmvwpMnlYx1zZ12jxz4kmbGm5kTSRs_8UcK4,1529
 depscan/lib/normalize.py,sha256=k8OlhSjzhGieqK1BLJNABRuz2wcwO4J8Ce8lYUsaxik,10008
@@ -61,9 +62,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
 vendor/spdx/json/licenses.json,sha256=PU1SD-zBi-U4r1XIWJ9qU-KixVWsQ5TJePUejC79yzU,251610
-owasp_depscan-4.2.8.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
-owasp_depscan-4.2.8.dist-info/METADATA,sha256=VGn9W5XTh5cIhRhNMM9O7oG82xR2Z8X5uyqRoralf8Q,20990
-owasp_depscan-4.2.8.dist-info/WHEEL,sha256=yQN5g4mg4AybRjkgi-9yy4iQEFibGQmlz78Pik5Or-A,92
-owasp_depscan-4.2.8.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-4.2.8.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-4.2.8.dist-info/RECORD,,
+owasp_depscan-4.3.0.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-4.3.0.dist-info/METADATA,sha256=ZFFyFzVx8LICSMSBDkfG1HyfzPGc-nhuALCnAIbhoZA,22703
+owasp_depscan-4.3.0.dist-info/WHEEL,sha256=yQN5g4mg4AybRjkgi-9yy4iQEFibGQmlz78Pik5Or-A,92
+owasp_depscan-4.3.0.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
+owasp_depscan-4.3.0.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-4.3.0.dist-info/RECORD,,