owasp-depscan 5.3.5__tar.gz → 5.4.0__tar.gz

{owasp_depscan-5.3.5/owasp_depscan.egg-info → owasp_depscan-5.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.3.5
+Version: 5.4.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db==5.6.8
+Requires-Dist: appthreat-vulnerability-db==5.7.1
 Requires-Dist: defusedxml
 Requires-Dist: oras~=0.1.26
 Requires-Dist: PyYAML
@@ -138,27 +138,6 @@ oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 
 Use `vdb-10y` which is a larger database with vulnerability data spanning the last 10 years from 2014. In contrast, vdb with a starting year of 2018 is appropriate for most users.
 
-### Single binary executables
-
-Download the executable binary for your operating system from the [releases page](https://github.com/owasp-dep-scan/depscan-bin/releases). These binary bundle the following:
-
--   dep-scan with Python 3.11
--   cdxgen with Node.js 21
--   cdxgen binary plugins
-
-```bash
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan-linux-amd64
-chmod +x depscan-linux-amd64
-./depscan-linux-amd64 --help
-```
-
-On Windows,
-
-```powershell
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan.exe
-.\depscan.exe --help
-```
-
 ### Server mode
 
 dep-scan and cdxgen could be run in server mode. Use the included docker-compose file to get started.
@@ -190,19 +169,14 @@ Use the `/scan` endpoint to perform scans.
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
--   Scanning a SBOM file (present locally).
+-   Scanning an SBOM file (present locally).
 
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
 -   Scanning a GitHub repo.
-
-```bash
-curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
-```
-
--   Uploading a SBOM file and generating results based on it.
+    Uploading an SBOM file and generating results based on it.
 
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
@@ -307,7 +281,7 @@ You can also specify the image using the sha256 digest
 depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker
 ```
 
-You can also save container images using docker or podman save command and pass the archive to depscan for scanning.
+You can also save container images using the docker or podman save command and pass the archive to depscan for scanning.
 
 ```bash
 docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/README.md

@@ -97,27 +97,6 @@ oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 
 Use `vdb-10y` which is a larger database with vulnerability data spanning the last 10 years from 2014. In contrast, vdb with a starting year of 2018 is appropriate for most users.
 
-### Single binary executables
-
-Download the executable binary for your operating system from the [releases page](https://github.com/owasp-dep-scan/depscan-bin/releases). These binary bundle the following:
-
--   dep-scan with Python 3.11
--   cdxgen with Node.js 21
--   cdxgen binary plugins
-
-```bash
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan-linux-amd64
-chmod +x depscan-linux-amd64
-./depscan-linux-amd64 --help
-```
-
-On Windows,
-
-```powershell
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan.exe
-.\depscan.exe --help
-```
-
 ### Server mode
 
 dep-scan and cdxgen could be run in server mode. Use the included docker-compose file to get started.
@@ -149,19 +128,14 @@ Use the `/scan` endpoint to perform scans.
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
--   Scanning a SBOM file (present locally).
+-   Scanning an SBOM file (present locally).
 
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
 -   Scanning a GitHub repo.
-
-```bash
-curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
-```
-
--   Uploading a SBOM file and generating results based on it.
+    Uploading an SBOM file and generating results based on it.
 
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
@@ -266,7 +240,7 @@ You can also specify the image using the sha256 digest
 depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker
 ```
 
-You can also save container images using docker or podman save command and pass the archive to depscan for scanning.
+You can also save container images using the docker or podman save command and pass the archive to depscan for scanning.
 
 ```bash
 docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/depscan/cli.py

@@ -80,7 +80,7 @@ def build_args():
         action="store_true",
         default=False,
         dest="no_banner",
-        help="Do not display banner",
+        help="Do not display the logo and donation banner. Please make a donation to OWASP before using this argument.",
     )
     parser.add_argument(
         "--cache",
@@ -137,7 +137,7 @@ def build_args():
         "--cdxgen-args",
         default=os.getenv("CDXGEN_ARGS"),
         dest="cdxgen_args",
-        help="Additional arguments to pass to cdxgen"
+        help="Additional arguments to pass to cdxgen",
     )
     parser.add_argument(
         "--private-ns",
@@ -741,6 +741,7 @@ def main():
     and generates reports based on the results.
     """
     args = build_args()
+    perform_risk_audit = args.risk_audit
     # declare variables that get initialized only conditionally
     (
         summary,
@@ -750,21 +751,19 @@ def main():
         pkg_vulnerabilities,
         pkg_group_rows,
     ) = (None, None, None, None, None, None)
-    if os.getenv("GITHUB_ACTION", "").lower() == "__appthreat_dep-scan-action" \
-        and not os.getenv("INPUT_THANK_YOU", "") == ("I have sponsored "
-                                                 "OWASP-dep-scan."):
+    if (
+        os.getenv("CI")
+        and not args.no_banner
+        and not os.getenv("INPUT_THANK_YOU", "")
+        == ("I have sponsored OWASP-dep-scan.")
+    ):
         console.print(
             Panel(
-                "OWASP relies on donations to fund our projects.\n\n"
-                "Donate at: https://owasp.org/donate/?reponame=www-project"
-                "-dep-scan&title=OWASP+depscan.\n\nAfter you have done so, "
-                "make sure you have configured the action with thank_you: 'I "
-                "have sponsored OWASP-dep-scan.'",
-                title="Please make a donation",
+                "OWASP foundation relies on donations to fund our projects.\nPlease donate at: https://owasp.org/donate/?reponame=www-project-dep-scan&title=OWASP+depscan",
+                title="Donate to the OWASP Foundation",
                 expand=False,
             )
         )
-        sys.exit(1)
     # Should we turn on the debug mode
     if args.enable_debug:
         os.environ["AT_DEBUG_MODE"] = "debug"
@@ -808,6 +807,8 @@ def main():
     if args.project_type:
         project_types_list = args.project_type.split(",")
     elif args.search_purl:
+        # Automatically enable risk audit for single purl searches
+        perform_risk_audit = True
         purl_obj = parse_purl(args.search_purl)
         purl_obj["purl"] = args.search_purl
         purl_obj["vendor"] = purl_obj.get("namespace")
@@ -870,7 +871,11 @@ def main():
                 bom_file,
                 src_dir,
                 args.deep_scan,
-                {"cdxgen_server": args.cdxgen_server, "profile": args.profile, "cdxgen_args": args.cdxgen_args},
+                {
+                    "cdxgen_server": args.cdxgen_server,
+                    "profile": args.profile,
+                    "cdxgen_args": args.cdxgen_args,
+                },
             )
         if not creation_status:
             LOG.debug("Bom file %s was not created successfully", bom_file)
@@ -903,16 +908,17 @@ def main():
                 project_type, licenses_results, license_report_file
             )
         if project_type in risk_audit_map:
-            if args.risk_audit:
-                console.print(
-                    Panel(
-                        f"Performing OSS Risk Audit for packages from "
-                        f"{src_dir}\nNo of packages [bold]{len(pkg_list)}"
-                        f"[/bold]. This will take a while ...",
-                        title="OSS Risk Audit",
-                        expand=False,
+            if perform_risk_audit:
+                if len(pkg_list) > 1:
+                    console.print(
+                        Panel(
+                            f"Performing OSS Risk Audit for packages from "
+                            f"{src_dir}\nNo of packages [bold]{len(pkg_list)}"
+                            f"[/bold]. This will take a while ...",
+                            title="OSS Risk Audit",
+                            expand=False,
+                        )
                     )
-                )
                 try:
                     risk_results = risk_audit(
                         project_type,
@@ -995,7 +1001,7 @@ def main():
                 github_client = github.GitHub(github_token)
 
                 if not github_client.can_authenticate():
-                    LOG.error(
+                    LOG.info(
                         "The GitHub personal access token supplied appears to be invalid or expired. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory"
                     )
                 else:
@@ -1021,11 +1027,12 @@ def main():
                 except NotImplementedError:
                     pass
                 run_cacher = False
-        LOG.info(
-            "Performing regular scan for %s using plugin %s",
-            src_dir,
-            project_type,
-        )
+        if len(pkg_list) > 1:
+            LOG.info(
+                "Performing regular scan for %s using plugin %s",
+                src_dir,
+                project_type,
+            )
         vdb_results, pkg_aliases, sug_version_dict, purl_aliases = scan(
             db, project_type, pkg_list, args.suggest
         )
@@ -1071,9 +1078,9 @@ def main():
             )
     console.save_html(
         html_file,
-        theme=MONOKAI
-        if os.getenv("USE_DARK_THEME")
-        else DEFAULT_TERMINAL_THEME,
+        theme=(
+            MONOKAI if os.getenv("USE_DARK_THEME") else DEFAULT_TERMINAL_THEME
+        ),
     )
     utils.export_pdf(html_file, pdf_file)
     # render report into template if wished

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/depscan/lib/analysis.py

@@ -235,8 +235,7 @@ def is_lang_sw_edition(package_issue):
             return True
         if (
             config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
-            or all_parts.group("sw_edition")
-            in config.LANG_PKG_TYPES.values()
+            or all_parts.group("sw_edition") in config.LANG_PKG_TYPES.values()
         ):
             return True
         return False
@@ -306,6 +305,7 @@ def prepare_vdr(options: PrepareVdrOptions):
     fp_count = 0
     pkg_attention_count = 0
     critical_count = 0
+    malicious_count = 0
     has_poc_count = 0
     has_reachable_poc_count = 0
     has_exploit_count = 0
@@ -376,6 +376,10 @@ def prepare_vdr(options: PrepareVdrOptions):
         package_type = None
         insights = []
         plain_insights = []
+        if vid.startswith("MAL-"):
+            insights.append("[bright_red]:stop_sign: Malicious[/bright_red]")
+            plain_insights.append("Malicious")
+            malicious_count += 1
         purl_obj = None
         vendor = package_issue["affected_location"].get("vendor")
         # If the match was based on name and version alone then the alias might legitimately lack a full purl
@@ -401,7 +405,13 @@ def prepare_vdr(options: PrepareVdrOptions):
                 package_type = purl_obj.get("type")
                 qualifiers = purl_obj.get("qualifiers", {})
                 # Filter application CVEs from distros
-                if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
+                if (
+                    config.LANG_PKG_TYPES.get(package_type)
+                    or package_type in config.LANG_PKG_TYPES.values()
+                ) and (
+                    (vendor and vendor in config.OS_PKG_TYPES)
+                    or not is_lang_sw_edition(package_issue)
+                ):
                     fp_count += 1
                     continue
                 if package_type in config.OS_PKG_TYPES:
@@ -760,7 +770,18 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
         console.print()
         console.print(utable)
         console.print()
-    if options.scoped_pkgs or has_exploit_count:
+    if malicious_count:
+        rmessage = ":stop_sign: Malicious package found! Treat this as a [bold]security incident[/bold] and follow your organization's playbook to remove this package from all affected applications."
+        if malicious_count > 1:
+            rmessage = f":stop_sign: {malicious_count} malicious packages found in this project! Treat this as a [bold]security incident[/bold] and follow your organization's playbook to remove the packages from all affected applications."
+        console.print(
+            Panel(
+                rmessage,
+                title="Action Required",
+                expand=False,
+            )
+        )
+    elif options.scoped_pkgs or has_exploit_count:
         if not pkg_attention_count and has_exploit_count:
             if has_reachable_exploit_count:
                 rmessage = (
@@ -898,18 +919,19 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
                     this result."""
                 console.print(Panel(rmessage, title="Recommendation"))
             else:
-                rmessage = ":white_check_mark: No package requires immediate attention."
+                rmessage = None
                 if reached_purls:
                     rmessage = ":white_check_mark: No package requires immediate attention since the major vulnerabilities are not reachable."
                 elif direct_purls:
                     rmessage = ":white_check_mark: No package requires immediate attention since the major vulnerabilities are found only in dev packages and indirect dependencies."
-                console.print(
-                    Panel(
-                        rmessage,
-                        title="Recommendation",
-                        expand=False,
+                if rmessage:
+                    console.print(
+                        Panel(
+                            rmessage,
+                            title="Recommendation",
+                            expand=False,
+                        )
                     )
-                )
     elif critical_count:
         console.print(
             Panel(
@@ -919,14 +941,6 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
                 expand=False,
             )
         )
-    else:
-        console.print(
-            Panel(
-                ":white_check_mark: No package requires immediate attention.",
-                title="Recommendation",
-                expand=False,
-            )
-        )
     if reached_purls:
         sorted_reached_purls = sorted(
             ((value, key) for (key, value) in reached_purls.items()),
@@ -1329,12 +1343,14 @@ def analyse_licenses(project_type, licenses_results, license_report_file=None):
                 data = [
                     *pkg_ver,
                     "{}{}".format(
-                        "[cyan]"
-                        if "GPL" in lic["spdx-id"]
-                        or "CC-BY-" in lic["spdx-id"]
-                        or "Facebook" in lic["spdx-id"]
-                        or "WTFPL" in lic["spdx-id"]
-                        else "",
+                        (
+                            "[cyan]"
+                            if "GPL" in lic["spdx-id"]
+                            or "CC-BY-" in lic["spdx-id"]
+                            or "Facebook" in lic["spdx-id"]
+                            or "WTFPL" in lic["spdx-id"]
+                            else ""
+                        ),
                         lic["spdx-id"],
                     ),
                     conditions_str,

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/depscan/lib/pkg_query.py

@@ -1,5 +1,6 @@
 import math
 from datetime import datetime
+from semver import Version
 
 import httpx
 from rich.progress import Progress
@@ -40,7 +41,9 @@ def get_lookup_url(registry_type, pkg):
     return None, None
 
 
-def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None):
+def metadata_from_registry(
+    registry_type, scoped_pkgs, pkg_list, private_ns=None
+):
     """
     Method to query registry for the package metadata
 
@@ -64,7 +67,9 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
         redirect_stdout=False,
         refresh_per_second=1,
     ) as progress:
-        task = progress.add_task("[green] Auditing packages", total=len(pkg_list))
+        task = progress.add_task(
+            "[green] Auditing packages", total=len(pkg_list)
+        )
         for pkg in pkg_list:
             if circuit_breaker:
                 LOG.info(
@@ -96,14 +101,16 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
                 if private_ns:
                     namespace_prefixes = private_ns.split(",")
                     for ns in namespace_prefixes:
-                        if key.lower().startswith(ns.lower()) or key.lower().startswith(
-                            "@" + ns.lower()
-                        ):
+                        if key.lower().startswith(
+                            ns.lower()
+                        ) or key.lower().startswith("@" + ns.lower()):
                             is_private_pkg = True
                             break
                 risk_metrics = {}
                 if registry_type == "npm":
-                    risk_metrics = npm_pkg_risk(json_data, is_private_pkg, scope)
+                    risk_metrics = npm_pkg_risk(
+                        json_data, is_private_pkg, scope
+                    )
                 elif registry_type == "pypi":
                     project_type_pkg = f"python:{key}".lower()
                     required_pkgs = scoped_pkgs.get("required", [])
@@ -124,7 +131,9 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
                         or project_type_pkg in excluded_pkgs
                     ):
                         scope = "excluded"
-                    risk_metrics = pypi_pkg_risk(json_data, is_private_pkg, scope)
+                    risk_metrics = pypi_pkg_risk(
+                        json_data, is_private_pkg, scope, pkg
+                    )
                 metadata_dict[key] = {
                     "scope": scope,
                     "pkg_metadata": json_data,
@@ -269,14 +278,17 @@ def compute_time_risks(
     # Check if the package is at least 1 year old. Quarantine period.
     if created_now_diff.total_seconds() < config.created_now_quarantine_seconds:
         risk_metrics["created_now_quarantine_seconds_risk"] = True
-        risk_metrics[
-            "created_now_quarantine_seconds_value"
-        ] = latest_now_diff.total_seconds()
+        risk_metrics["created_now_quarantine_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
 
     # Check for the maximum seconds difference between latest version and now
     if latest_now_diff.total_seconds() > config.latest_now_max_seconds:
+        print(latest_now_diff.total_seconds(), config.latest_now_max_seconds)
         risk_metrics["latest_now_max_seconds_risk"] = True
-        risk_metrics["latest_now_max_seconds_value"] = latest_now_diff.total_seconds()
+        risk_metrics["latest_now_max_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
         # Since the package is quite old we can relax the min versions risk
         risk_metrics["pkg_min_versions_risk"] = False
     else:
@@ -287,17 +299,19 @@ def compute_time_risks(
         # packages
         if mod_create_diff.total_seconds() < config.mod_create_min_seconds:
             risk_metrics["mod_create_min_seconds_risk"] = True
-            risk_metrics[
-                "mod_create_min_seconds_value"
-            ] = mod_create_diff.total_seconds()
+            risk_metrics["mod_create_min_seconds_value"] = (
+                mod_create_diff.total_seconds()
+            )
     # Check for the minimum seconds difference between latest version and now
     if latest_now_diff.total_seconds() < config.latest_now_min_seconds:
         risk_metrics["latest_now_min_seconds_risk"] = True
-        risk_metrics["latest_now_min_seconds_value"] = latest_now_diff.total_seconds()
+        risk_metrics["latest_now_min_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
     return risk_metrics
 
 
-def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
+def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope, pkg):
     """
     Calculate various package risks based on the metadata from pypi.
 
@@ -319,15 +333,38 @@ def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
     versions_dict = pkg_metadata.get("releases", {})
     versions = [ver[0] for k, ver in versions_dict.items() if ver]
     is_deprecated = info.get("yanked") and info.get("yanked_reason")
+    if not is_deprecated and pkg and pkg.get("version"):
+        theversion = versions_dict.get(pkg.get("version"), [])
+        if isinstance(theversion, list):
+            theversion = theversion[0]
+        if theversion.get("yanked"):
+            is_deprecated = True
     # Some packages like pypi:azure only mention deprecated in the description
     # without yanking the package
     pkg_description = info.get("description", "").lower()
-    if not is_deprecated and ("is deprecated" in pkg_description or "no longer maintained" in pkg_description):
+    if not is_deprecated and (
+        "is deprecated" in pkg_description
+        or "no longer maintained" in pkg_description
+    ):
         is_deprecated = True
     latest_deprecated = False
-    first_version = None
-    latest_version = None
-
+    version_nums = list(versions_dict.keys())
+    # Ignore empty versions without metadata. Thanks pypi
+    version_nums = [ver for ver in version_nums if versions_dict.get(ver)]
+    try:
+        first_version_num = min(
+            version_nums,
+            key=lambda x: Version.parse(x, optional_minor_and_patch=True),
+        )
+        latest_version_num = max(
+            version_nums,
+            key=lambda x: Version.parse(x, optional_minor_and_patch=True),
+        )
+    except (ValueError, TypeError):
+        first_version_num = version_nums[0]
+        latest_version_num = version_nums[-1]
+    first_version = versions_dict.get(first_version_num)[0]
+    latest_version = versions_dict.get(latest_version_num)[0]
     # Is the private package available publicly? Dependency confusion.
     if is_private_pkg and pkg_metadata:
         risk_metrics["pkg_private_on_public_registry_risk"] = True
@@ -338,8 +375,6 @@ def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
         if len(versions) < config.pkg_min_versions:
             risk_metrics["pkg_min_versions_risk"] = True
             risk_metrics["pkg_min_versions_value"] = len(versions)
-        first_version = versions[0]
-        latest_version = versions[-1]
         # Check if the latest version is deprecated
         if latest_version and latest_version.get("yanked"):
             latest_deprecated = True

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0/owasp_depscan.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.3.5
+Version: 5.4.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db==5.6.8
+Requires-Dist: appthreat-vulnerability-db==5.7.1
 Requires-Dist: defusedxml
 Requires-Dist: oras~=0.1.26
 Requires-Dist: PyYAML
@@ -138,27 +138,6 @@ oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 
 Use `vdb-10y` which is a larger database with vulnerability data spanning the last 10 years from 2014. In contrast, vdb with a starting year of 2018 is appropriate for most users.
 
-### Single binary executables
-
-Download the executable binary for your operating system from the [releases page](https://github.com/owasp-dep-scan/depscan-bin/releases). These binary bundle the following:
-
--   dep-scan with Python 3.11
--   cdxgen with Node.js 21
--   cdxgen binary plugins
-
-```bash
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan-linux-amd64
-chmod +x depscan-linux-amd64
-./depscan-linux-amd64 --help
-```
-
-On Windows,
-
-```powershell
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan.exe
-.\depscan.exe --help
-```
-
 ### Server mode
 
 dep-scan and cdxgen could be run in server mode. Use the included docker-compose file to get started.
@@ -190,19 +169,14 @@ Use the `/scan` endpoint to perform scans.
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
--   Scanning a SBOM file (present locally).
+-   Scanning an SBOM file (present locally).
 
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
 -   Scanning a GitHub repo.
-
-```bash
-curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
-```
-
--   Uploading a SBOM file and generating results based on it.
+    Uploading an SBOM file and generating results based on it.
 
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
@@ -307,7 +281,7 @@ You can also specify the image using the sha256 digest
 depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker
 ```
 
-You can also save container images using docker or podman save command and pass the archive to depscan for scanning.
+You can also save container images using the docker or podman save command and pass the archive to depscan for scanning.
 
 ```bash
 docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/owasp_depscan.egg-info/SOURCES.txt

@@ -42,6 +42,8 @@ vendor/choosealicense.com/_licenses/afl-3.0.txt
 vendor/choosealicense.com/_licenses/agpl-3.0.txt
 vendor/choosealicense.com/_licenses/apache-2.0.txt
 vendor/choosealicense.com/_licenses/artistic-2.0.txt
+vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt
+vendor/choosealicense.com/_licenses/bsd-2-clause-patent.txt
 vendor/choosealicense.com/_licenses/bsd-2-clause.txt
 vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt
 vendor/choosealicense.com/_licenses/bsd-3-clause.txt

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/owasp_depscan.egg-info/requires.txt

@@ -1,4 +1,4 @@
-appthreat-vulnerability-db==5.6.8
+appthreat-vulnerability-db==5.7.1
 defusedxml
 oras~=0.1.26
 PyYAML

{owasp_depscan-5.3.5 → owasp_depscan-5.4.0}/pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "5.3.5"
+version = "5.4.0"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db==5.6.8",
+    "appthreat-vulnerability-db==5.7.1",
     "defusedxml",
     "oras~=0.1.26",
     "PyYAML",