owasp-depscan 5.4.7__tar.gz → 5.5.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (89) hide show
  1. {owasp_depscan-5.4.7/owasp_depscan.egg-info → owasp_depscan-5.5.0}/PKG-INFO +56 -23
  2. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/README.md +54 -21
  3. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/analysis.py +28 -24
  4. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/config.py +14 -10
  5. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0/owasp_depscan.egg-info}/PKG-INFO +56 -23
  6. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/requires.txt +1 -1
  7. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/pyproject.toml +2 -2
  8. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_analysis.py +19 -2
  9. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mpl-2.0.txt +1 -1
  10. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/spdx/json/licenses.json +810 -664
  11. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/LICENSE +0 -0
  12. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/MANIFEST.in +0 -0
  13. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/__init__.py +0 -0
  14. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/cli.py +0 -0
  15. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/__init__.py +0 -0
  16. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/audit.py +0 -0
  17. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/bom.py +0 -0
  18. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/csaf.py +0 -0
  19. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/explainer.py +0 -0
  20. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/github.py +0 -0
  21. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/license.py +0 -0
  22. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/logger.py +0 -0
  23. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/normalize.py +0 -0
  24. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/orasclient.py +0 -0
  25. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/pkg_query.py +0 -0
  26. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/utils.py +0 -0
  27. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/SOURCES.txt +0 -0
  28. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/dependency_links.txt +0 -0
  29. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/entry_points.txt +0 -0
  30. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/top_level.txt +0 -0
  31. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/setup.cfg +0 -0
  32. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_bom.py +0 -0
  33. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_csaf.py +0 -0
  34. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_explainer.py +0 -0
  35. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_github.py +0 -0
  36. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_license.py +0 -0
  37. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_norm.py +0 -0
  38. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_pkg_query.py +0 -0
  39. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_utils.py +0 -0
  40. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/__init__.py +0 -0
  41. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/fields.yml +0 -0
  42. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/meta.yml +0 -0
  43. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/rules.yml +0 -0
  44. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/0bsd.txt +0 -0
  45. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/afl-3.0.txt +0 -0
  46. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/agpl-3.0.txt +0 -0
  47. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/apache-2.0.txt +0 -0
  48. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/artistic-2.0.txt +0 -0
  49. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt +0 -0
  50. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-2-clause-patent.txt +0 -0
  51. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-2-clause.txt +0 -0
  52. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt +0 -0
  53. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-3-clause.txt +0 -0
  54. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-4-clause.txt +0 -0
  55. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsl-1.0.txt +0 -0
  56. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc-by-4.0.txt +0 -0
  57. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc-by-sa-4.0.txt +0 -0
  58. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc0-1.0.txt +0 -0
  59. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cecill-2.1.txt +0 -0
  60. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-p-2.0.txt +0 -0
  61. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-s-2.0.txt +0 -0
  62. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-w-2.0.txt +0 -0
  63. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ecl-2.0.txt +0 -0
  64. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/epl-1.0.txt +0 -0
  65. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/epl-2.0.txt +0 -0
  66. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/eupl-1.1.txt +0 -0
  67. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/eupl-1.2.txt +0 -0
  68. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gfdl-1.3.txt +0 -0
  69. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gpl-2.0.txt +0 -0
  70. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gpl-3.0.txt +0 -0
  71. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/isc.txt +0 -0
  72. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lgpl-2.1.txt +0 -0
  73. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lgpl-3.0.txt +0 -0
  74. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lppl-1.3c.txt +0 -0
  75. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mit-0.txt +0 -0
  76. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mit.txt +0 -0
  77. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ms-pl.txt +0 -0
  78. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ms-rl.txt +0 -0
  79. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mulanpsl-2.0.txt +0 -0
  80. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ncsa.txt +0 -0
  81. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/odbl-1.0.txt +0 -0
  82. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ofl-1.1.txt +0 -0
  83. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/osl-3.0.txt +0 -0
  84. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/postgresql.txt +0 -0
  85. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/unlicense.txt +0 -0
  86. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/upl-1.0.txt +0 -0
  87. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/vim.txt +0 -0
  88. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/wtfpl.txt +0 -0
  89. {owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/zlib.txt +0 -0
{owasp_depscan-5.4.7/owasp_depscan.egg-info → owasp_depscan-5.5.0}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.7
3
+ Version: 5.5.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.5
23
+ Requires-Dist: appthreat-vulnerability-db==5.8.1
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
@@ -55,7 +55,6 @@ OWASP dep-scan is a next-generation security and risk audit tool based on known
55
55
  - [Linux distros](#linux-distros)
56
56
  - [Usage](#usage)
57
57
  - [OCI Artifacts via ORAS cli](#oci-artifacts-via-oras-cli)
58
- - [Single binary executables](#single-binary-executables)
59
58
  - [Server mode](#server-mode)
60
59
  - [Scanning projects locally (Python version)](#scanning-projects-locally-python-version)
61
60
  - [Scanning containers locally (Python version)](#scanning-containers-locally-python-version)
@@ -319,25 +318,35 @@ dep-scan uses [cdxgen](https://github.com/CycloneDX/cdxgen) command internally t
319
318
 
320
319
  The following projects and package-dependency format is supported by cdxgen.
321
320
 
322
- | Language | Package format |
323
- | ------------------------ | --------------------------------------------------------------------------------------- |
324
- | node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js |
325
- | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel |
326
- | php | composer.lock |
327
- | python | setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info |
328
- | go | binary, go.mod, go.sum, Gopkg.lock |
329
- | ruby | Gemfile.lock, gemspec |
330
- | rust | binary, Cargo.toml, Cargo.lock |
331
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg |
332
- | dart | pubspec.lock, pubspec.yaml |
333
- | haskell | cabal.project.freeze |
334
- | elixir | mix.lock |
335
- | c/c++ | conan.lock, conanfile.txt |
336
- | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) |
337
- | docker / oci image | All supported languages and Linux OS packages |
338
- | GitHub Actions Workflows | .github/workflows/\*.yml |
339
- | Jenkins Plugins | .hpi files |
340
- | YAML manifests | docker-compose, kubernetes, kustomization, skaffold, tekton etc |
321
+ | Language/Platform | Project Types | Package Formats | Supported Evidence | Supports Transitives |
322
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------- |
323
+ | Node.js | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx` | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js` | Yes, except for `.min.` | ✅ |
324
+ | Java | `java`, `groovy`, `kotlin`, `scala`, `jvm`, `gradle`, `mvn`, `maven`, `sbt` | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel` | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors) | ✅ |
325
+ | Android | `android`, `apk`, `aab` | `apk`, `aab` | - | - |
326
+ | JAR | `jar` | `.jar` | - | - |
327
+ | JAR (Gradle Cache) | `gradle-index`, `gradle-cache` | `$HOME/caches/modules-2/files-2.1/\*\*/\*.jar` | - | - |
328
+ | JAR (SBT Cache) | `sbt-index`, `sbt-cache` | `$HOME/.ivy2/cache/\*\*/\*.jar ` | - | - |
329
+ | JAR (Maven Cache) | `maven-index`, `maven-cache`, `maven-repo` | `$HOME/.m2/repository/\*\*/\*.jar` | - | - |
330
+ | Python | `python`, `py`, `pypi` | `pyproject.toml`, `setup.py`, `requirements.txt` [2], `Pipfile.lock`, `poetry.lock`, `pdm.lock`, `bdist_wheel`, `.whl`, `.egg-info` | Yes using the automatic pip install/freeze. When disabled, only with `Pipfile.lock` and `poetry.lock` | ✅ |
331
+ | Golang | `go`, `golang` | `binary`, `go.mod`, `go.sum`, `Gopkg.lock` | Yes except binary | ✅ |
332
+ | Rust | `rust`, `rust-lang`, `cargo` | `binary`, `Cargo.toml`, `Cargo.lock` | Only for `Cargo.lock` | - |
333
+ | Ruby | `ruby`, `gems` | `Gemfile.lock`, `gemspec` | Only for `Gemfile.lock` | - |
334
+ | .NET (#C) | `csharp`, `netcore`, `dotnet`, `vb`, `dotnet-framework` | `.csproj`, `.vbproj`, `.fsproj`, `packages.config`, `project.assets.json` [3], `packages.lock.json`, `.nupkg`, `paket.lock`, `binary` | Only for `project.assets.json`, `packages.lock.json`, `paket.lock` | - |
335
+ | Dart | `dart`, `flutter`, `pub` | `pubspec.lock`, `pubspec.yaml` | Only for `pubspec.lock` | - |
336
+ | Haskell | `haskell`, `hackage`, `cabal` | `cabal.project.freeze` | Yes | |
337
+ | Elixir | `elixir`, `hex`, `mix` | `mix.lock` | Yes | - |
338
+ | C++ | `c`, `cpp`, `c++`, `conan` | `conan.lock`, `conanfile.txt`, `\*.cmake`, `CMakeLists.txt`, `meson.build`, codebase without package managers! | Yes only for `conan.lock`. Best effort basis for `cmake` without version numbers. | ✅ |
339
+ | Clojure | `clojure`, `edn`, `clj`, `leiningen` | `deps.edn`, `project.clj` | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | - |
340
+ | GitHub Actions | `github`, `actions` | `.github/workflows/\*.yml` | n/a | ✅ |
341
+ | Operation System (OS) | `os`, `osquery`, `windows`, `linux`, `mac`, `macos`, `darwin` |
342
+ | Jenkins Plugins | `jenkins` | `.hpi files` | - | ✅ |
343
+ | Helm | `helm`, `charts` | `.yaml` | n/a | |
344
+ | Helm (Cache) | `helm-index`, `helm-repo` | `$HOME/.cache/helm/repository/\*\*/\*.yaml` | - | - |
345
+ | Container | `universal`, `containerfile`, `docker-compose`, `dockerfile`, `swarm`, `tekton`, `kustomize`, `operator`, `skaffold`, `kubernetes`, `openshift`, `yaml-manifest` | `.yaml`, `docker-compose\*.yml`, `*Dockerfile*`, `*Containerfile*`, `bitbucket-pipelines.yml` | n/a | - |
346
+ | Google Cloud Build | `cloudbuild` | `cloudbuild.yaml` | n/a | - |
347
+ | Swift (iOS) | `swift` | `Package.resolved`, `Package.swift` (swiftpm) | Yes | - |
348
+ | Binary | `binary`, `blint` |
349
+ | Open API | Open API Specification, Swagger | `openapi\*.json`, `openapi\*.yaml` | n/a | - |
341
350
 
342
351
  ## Reachability analysis
343
352
 
@@ -380,6 +389,30 @@ The following environment variables can be used to customize the behavior.
380
389
  - VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
381
390
  - VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbgz:v5
382
391
  - USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database. Default download url: ghcr.io/appthreat/vdb-10y:v5
392
+ - VDB_APP_ONLY - Set to true to use a special app-only vulnerability database. Default download url: ghcr.io/appthreat/vdbgz-app:v5
393
+
394
+ Example 1 - Run depscan with app-only vdb.
395
+
396
+ ```shell
397
+ docker run --rm \
398
+ -e VDB_HOME=/db \
399
+ -e VDB_APP_ONLY=true \
400
+ -e SCAN_DEBUG_MODE=debug \
401
+ -v /tmp:/db \
402
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
403
+ ```
404
+
405
+ Example 2 - Run depscan with a larger 10 year app-only vdb.
406
+
407
+ ```shell
408
+ docker run --rm \
409
+ -e VDB_HOME=/db \
410
+ -e VDB_APP_ONLY=true \
411
+ -e USE_VDB_10Y=true \
412
+ -e SCAN_DEBUG_MODE=debug \
413
+ -v /tmp:/db \
414
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
415
+ ```
383
416
 
384
417
  ## GitHub Security Advisory
385
418
 
@@ -521,7 +554,7 @@ The objects available are taken from the CycloneDX \*.vdr.json BOM file generate
521
554
  `pkg_group_rows` - List of vulnerability id and the dependency tree prioritized by depscan.
522
555
 
523
556
  Furthermore, insights are imaginable to be made available to the template, please reach out or contribute on demand.
524
- We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
557
+ We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates).
525
558
 
526
559
  ## Performance tuning
527
560
 
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/README.md RENAMED
@@ -14,7 +14,6 @@ OWASP dep-scan is a next-generation security and risk audit tool based on known
14
14
  - [Linux distros](#linux-distros)
15
15
  - [Usage](#usage)
16
16
  - [OCI Artifacts via ORAS cli](#oci-artifacts-via-oras-cli)
17
- - [Single binary executables](#single-binary-executables)
18
17
  - [Server mode](#server-mode)
19
18
  - [Scanning projects locally (Python version)](#scanning-projects-locally-python-version)
20
19
  - [Scanning containers locally (Python version)](#scanning-containers-locally-python-version)
@@ -278,25 +277,35 @@ dep-scan uses [cdxgen](https://github.com/CycloneDX/cdxgen) command internally t
278
277
 
279
278
  The following projects and package-dependency format is supported by cdxgen.
280
279
 
281
- | Language | Package format |
282
- | ------------------------ | --------------------------------------------------------------------------------------- |
283
- | node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js |
284
- | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel |
285
- | php | composer.lock |
286
- | python | setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info |
287
- | go | binary, go.mod, go.sum, Gopkg.lock |
288
- | ruby | Gemfile.lock, gemspec |
289
- | rust | binary, Cargo.toml, Cargo.lock |
290
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg |
291
- | dart | pubspec.lock, pubspec.yaml |
292
- | haskell | cabal.project.freeze |
293
- | elixir | mix.lock |
294
- | c/c++ | conan.lock, conanfile.txt |
295
- | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) |
296
- | docker / oci image | All supported languages and Linux OS packages |
297
- | GitHub Actions Workflows | .github/workflows/\*.yml |
298
- | Jenkins Plugins | .hpi files |
299
- | YAML manifests | docker-compose, kubernetes, kustomization, skaffold, tekton etc |
280
+ | Language/Platform | Project Types | Package Formats | Supported Evidence | Supports Transitives |
281
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------- |
282
+ | Node.js | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx` | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js` | Yes, except for `.min.` | ✅ |
283
+ | Java | `java`, `groovy`, `kotlin`, `scala`, `jvm`, `gradle`, `mvn`, `maven`, `sbt` | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel` | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors) | ✅ |
284
+ | Android | `android`, `apk`, `aab` | `apk`, `aab` | - | - |
285
+ | JAR | `jar` | `.jar` | - | - |
286
+ | JAR (Gradle Cache) | `gradle-index`, `gradle-cache` | `$HOME/caches/modules-2/files-2.1/\*\*/\*.jar` | - | - |
287
+ | JAR (SBT Cache) | `sbt-index`, `sbt-cache` | `$HOME/.ivy2/cache/\*\*/\*.jar ` | - | - |
288
+ | JAR (Maven Cache) | `maven-index`, `maven-cache`, `maven-repo` | `$HOME/.m2/repository/\*\*/\*.jar` | - | - |
289
+ | Python | `python`, `py`, `pypi` | `pyproject.toml`, `setup.py`, `requirements.txt` [2], `Pipfile.lock`, `poetry.lock`, `pdm.lock`, `bdist_wheel`, `.whl`, `.egg-info` | Yes using the automatic pip install/freeze. When disabled, only with `Pipfile.lock` and `poetry.lock` | ✅ |
290
+ | Golang | `go`, `golang` | `binary`, `go.mod`, `go.sum`, `Gopkg.lock` | Yes except binary | ✅ |
291
+ | Rust | `rust`, `rust-lang`, `cargo` | `binary`, `Cargo.toml`, `Cargo.lock` | Only for `Cargo.lock` | - |
292
+ | Ruby | `ruby`, `gems` | `Gemfile.lock`, `gemspec` | Only for `Gemfile.lock` | - |
293
+ | .NET (#C) | `csharp`, `netcore`, `dotnet`, `vb`, `dotnet-framework` | `.csproj`, `.vbproj`, `.fsproj`, `packages.config`, `project.assets.json` [3], `packages.lock.json`, `.nupkg`, `paket.lock`, `binary` | Only for `project.assets.json`, `packages.lock.json`, `paket.lock` | - |
294
+ | Dart | `dart`, `flutter`, `pub` | `pubspec.lock`, `pubspec.yaml` | Only for `pubspec.lock` | - |
295
+ | Haskell | `haskell`, `hackage`, `cabal` | `cabal.project.freeze` | Yes | |
296
+ | Elixir | `elixir`, `hex`, `mix` | `mix.lock` | Yes | - |
297
+ | C++ | `c`, `cpp`, `c++`, `conan` | `conan.lock`, `conanfile.txt`, `\*.cmake`, `CMakeLists.txt`, `meson.build`, codebase without package managers! | Yes only for `conan.lock`. Best effort basis for `cmake` without version numbers. | ✅ |
298
+ | Clojure | `clojure`, `edn`, `clj`, `leiningen` | `deps.edn`, `project.clj` | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | - |
299
+ | GitHub Actions | `github`, `actions` | `.github/workflows/\*.yml` | n/a | ✅ |
300
+ | Operation System (OS) | `os`, `osquery`, `windows`, `linux`, `mac`, `macos`, `darwin` |
301
+ | Jenkins Plugins | `jenkins` | `.hpi files` | - | ✅ |
302
+ | Helm | `helm`, `charts` | `.yaml` | n/a | |
303
+ | Helm (Cache) | `helm-index`, `helm-repo` | `$HOME/.cache/helm/repository/\*\*/\*.yaml` | - | - |
304
+ | Container | `universal`, `containerfile`, `docker-compose`, `dockerfile`, `swarm`, `tekton`, `kustomize`, `operator`, `skaffold`, `kubernetes`, `openshift`, `yaml-manifest` | `.yaml`, `docker-compose\*.yml`, `*Dockerfile*`, `*Containerfile*`, `bitbucket-pipelines.yml` | n/a | - |
305
+ | Google Cloud Build | `cloudbuild` | `cloudbuild.yaml` | n/a | - |
306
+ | Swift (iOS) | `swift` | `Package.resolved`, `Package.swift` (swiftpm) | Yes | - |
307
+ | Binary | `binary`, `blint` |
308
+ | Open API | Open API Specification, Swagger | `openapi\*.json`, `openapi\*.yaml` | n/a | - |
300
309
 
301
310
  ## Reachability analysis
302
311
 
@@ -339,6 +348,30 @@ The following environment variables can be used to customize the behavior.
339
348
  - VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
340
349
  - VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbgz:v5
341
350
  - USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database. Default download url: ghcr.io/appthreat/vdb-10y:v5
351
+ - VDB_APP_ONLY - Set to true to use a special app-only vulnerability database. Default download url: ghcr.io/appthreat/vdbgz-app:v5
352
+
353
+ Example 1 - Run depscan with app-only vdb.
354
+
355
+ ```shell
356
+ docker run --rm \
357
+ -e VDB_HOME=/db \
358
+ -e VDB_APP_ONLY=true \
359
+ -e SCAN_DEBUG_MODE=debug \
360
+ -v /tmp:/db \
361
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
362
+ ```
363
+
364
+ Example 2 - Run depscan with a larger 10 year app-only vdb.
365
+
366
+ ```shell
367
+ docker run --rm \
368
+ -e VDB_HOME=/db \
369
+ -e VDB_APP_ONLY=true \
370
+ -e USE_VDB_10Y=true \
371
+ -e SCAN_DEBUG_MODE=debug \
372
+ -v /tmp:/db \
373
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
374
+ ```
342
375
 
343
376
  ## GitHub Security Advisory
344
377
 
@@ -480,7 +513,7 @@ The objects available are taken from the CycloneDX \*.vdr.json BOM file generate
480
513
  `pkg_group_rows` - List of vulnerability id and the dependency tree prioritized by depscan.
481
514
 
482
515
  Furthermore, insights are imaginable to be made available to the template, please reach out or contribute on demand.
483
- We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
516
+ We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates).
484
517
 
485
518
  ## Performance tuning
486
519
 
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/analysis.py RENAMED
@@ -19,7 +19,7 @@ from rich.table import Table
19
19
  from rich.tree import Tree
20
20
  from vdb.lib import CPE_FULL_REGEX
21
21
  from vdb.lib.config import placeholder_exclude_version, placeholder_fix_version
22
- from vdb.lib.utils import parse_cpe, parse_purl
22
+ from vdb.lib.utils import get_cvss3_from_vector, get_cvss4_from_vector, parse_cpe, parse_purl
23
23
 
24
24
  from depscan.lib import config
25
25
  from depscan.lib.logger import LOG, console
@@ -336,6 +336,11 @@ def prepare_vdr(options: PrepareVdrOptions):
336
336
  justify = "right"
337
337
  table.add_column(header=h, justify=justify, vertical="top")
338
338
  for vuln_occ_dict in options.results:
339
+ # If CVSS v4 data is available, override the severity and cvss_score
340
+ if vuln_occ_dict.get("cvss4_vector_string"):
341
+ cvss4_obj = get_cvss4_from_vector(vuln_occ_dict.get("cvss4_vector_string"))
342
+ vuln_occ_dict["cvss_score"] = cvss4_obj.get("baseScore")
343
+ vuln_occ_dict["severity"] = cvss4_obj.get("baseSeverity").upper()
339
344
  vid = vuln_occ_dict.get("id")
340
345
  problem_type = vuln_occ_dict.get("problem_type")
341
346
  cwes = []
@@ -1026,34 +1031,33 @@ def cvss_to_vdr_rating(vuln_occ_dict):
1026
1031
 
1027
1032
  :return: A list containing a dictionary with CVSS score information.
1028
1033
  """
1029
- cvss_score = vuln_occ_dict.get("cvss_score", 2.0)
1030
- with contextlib.suppress(ValueError, TypeError):
1031
- cvss_score = float(cvss_score)
1032
- if (pkg_severity := vuln_occ_dict.get("severity", "").lower()) not in (
1033
- "critical",
1034
- "high",
1035
- "medium",
1036
- "low",
1037
- "info",
1038
- "none",
1039
- ):
1040
- pkg_severity = "unknown"
1041
- ratings = [
1042
- {
1043
- "score": cvss_score,
1044
- "severity": pkg_severity,
1045
- }
1046
- ]
1047
- method = "31"
1034
+ ratings = []
1035
+ # Support for cvss v4
1036
+ if vuln_occ_dict.get("cvss4_vector_string") and (vector_string := vuln_occ_dict.get("cvss4_vector_string")):
1037
+ cvss4_obj = get_cvss4_from_vector(vector_string)
1038
+ ratings.append(
1039
+ {
1040
+ "method": "CVSSv4",
1041
+ "score": cvss4_obj.get("baseScore"),
1042
+ "severity": cvss4_obj.get("baseSeverity").lower(),
1043
+ "vector": vector_string
1044
+ }
1045
+ )
1048
1046
  if vuln_occ_dict.get("cvss_v3") and (
1049
1047
  vector_string := vuln_occ_dict["cvss_v3"].get("vector_string")
1050
1048
  ):
1051
- ratings[0]["vector"] = vector_string
1052
1049
  with contextlib.suppress(CVSSError):
1053
- method = cvss.CVSS3(vector_string).as_json().get("version")
1050
+ cvss3_obj = get_cvss3_from_vector(vector_string)
1051
+ method = cvss3_obj.get("version")
1054
1052
  method = method.replace(".", "").replace("0", "")
1055
- ratings[0]["method"] = f"CVSSv{method}"
1056
-
1053
+ ratings.append(
1054
+ {
1055
+ "method": f"CVSSv{method}",
1056
+ "score": cvss3_obj.get("baseScore"),
1057
+ "severity": cvss3_obj.get("baseSeverity").lower(),
1058
+ "vector": vector_string
1059
+ }
1060
+ )
1057
1061
  return ratings
1058
1062
 
1059
1063
 
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/depscan/lib/config.py RENAMED
@@ -314,17 +314,21 @@ vdb_rafs_database_url = os.getenv(
314
314
  "VDB_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb:v5-rafs"
315
315
  )
316
316
 
317
- # Larger 10 year database
318
- vdb_10y_database_url = os.getenv(
319
- "VDB_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-10y:v5"
320
- )
321
- vdb_10y_rafs_database_url = os.getenv(
322
- "VDB_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-10y:v5-rafs"
323
- )
317
+ # App only data
318
+ if os.getenv("VDB_APP_ONLY", "") in ("true", "1"):
319
+ vdb_database_url = os.getenv("VDB_APP_DATABASE_URL", "ghcr.io/appthreat/vdbgz-app:v5")
320
+ vdb_rafs_database_url = os.getenv("VDB_APP_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-app:v5-rafs")
324
321
 
325
- if os.getenv("USE_VDB_10Y", "") in ("true", "1"):
326
- vdb_database_url = vdb_10y_database_url
327
- vdb_rafs_database_url = vdb_10y_rafs_database_url
322
+ # Larger 10 year database
323
+ if os.getenv("USE_VDB_10Y", "") in ("true", "1") or os.getenv("NVD_START_YEAR", "") in ("2014",):
324
+ if os.getenv("VDB_APP_ONLY", "") in ("true", "1"):
325
+ # 10 year app-only database
326
+ vdb_database_url = os.getenv("VDB_APP_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-app-10y:v5")
327
+ vdb_rafs_database_url = os.getenv("VDB_APP_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-app-10y:v5-rafs")
328
+ else:
329
+ # 10 year database
330
+ vdb_database_url = os.getenv("VDB_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-10y:v5")
331
+ vdb_rafs_database_url = os.getenv("VDB_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-10y:v5-rafs")
328
332
 
329
333
  # Package risk scoring using a simple weighted formula with no backing
330
334
  # research All parameters and their max value and weight can be overridden
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0/owasp_depscan.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.7
3
+ Version: 5.5.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.5
23
+ Requires-Dist: appthreat-vulnerability-db==5.8.1
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
@@ -55,7 +55,6 @@ OWASP dep-scan is a next-generation security and risk audit tool based on known
55
55
  - [Linux distros](#linux-distros)
56
56
  - [Usage](#usage)
57
57
  - [OCI Artifacts via ORAS cli](#oci-artifacts-via-oras-cli)
58
- - [Single binary executables](#single-binary-executables)
59
58
  - [Server mode](#server-mode)
60
59
  - [Scanning projects locally (Python version)](#scanning-projects-locally-python-version)
61
60
  - [Scanning containers locally (Python version)](#scanning-containers-locally-python-version)
@@ -319,25 +318,35 @@ dep-scan uses [cdxgen](https://github.com/CycloneDX/cdxgen) command internally t
319
318
 
320
319
  The following projects and package-dependency format is supported by cdxgen.
321
320
 
322
- | Language | Package format |
323
- | ------------------------ | --------------------------------------------------------------------------------------- |
324
- | node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js |
325
- | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel |
326
- | php | composer.lock |
327
- | python | setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info |
328
- | go | binary, go.mod, go.sum, Gopkg.lock |
329
- | ruby | Gemfile.lock, gemspec |
330
- | rust | binary, Cargo.toml, Cargo.lock |
331
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg |
332
- | dart | pubspec.lock, pubspec.yaml |
333
- | haskell | cabal.project.freeze |
334
- | elixir | mix.lock |
335
- | c/c++ | conan.lock, conanfile.txt |
336
- | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) |
337
- | docker / oci image | All supported languages and Linux OS packages |
338
- | GitHub Actions Workflows | .github/workflows/\*.yml |
339
- | Jenkins Plugins | .hpi files |
340
- | YAML manifests | docker-compose, kubernetes, kustomization, skaffold, tekton etc |
321
+ | Language/Platform | Project Types | Package Formats | Supported Evidence | Supports Transitives |
322
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------- |
323
+ | Node.js | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx` | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js` | Yes, except for `.min.` | ✅ |
324
+ | Java | `java`, `groovy`, `kotlin`, `scala`, `jvm`, `gradle`, `mvn`, `maven`, `sbt` | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel` | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors) | ✅ |
325
+ | Android | `android`, `apk`, `aab` | `apk`, `aab` | - | - |
326
+ | JAR | `jar` | `.jar` | - | - |
327
+ | JAR (Gradle Cache) | `gradle-index`, `gradle-cache` | `$HOME/caches/modules-2/files-2.1/\*\*/\*.jar` | - | - |
328
+ | JAR (SBT Cache) | `sbt-index`, `sbt-cache` | `$HOME/.ivy2/cache/\*\*/\*.jar ` | - | - |
329
+ | JAR (Maven Cache) | `maven-index`, `maven-cache`, `maven-repo` | `$HOME/.m2/repository/\*\*/\*.jar` | - | - |
330
+ | Python | `python`, `py`, `pypi` | `pyproject.toml`, `setup.py`, `requirements.txt` [2], `Pipfile.lock`, `poetry.lock`, `pdm.lock`, `bdist_wheel`, `.whl`, `.egg-info` | Yes using the automatic pip install/freeze. When disabled, only with `Pipfile.lock` and `poetry.lock` | ✅ |
331
+ | Golang | `go`, `golang` | `binary`, `go.mod`, `go.sum`, `Gopkg.lock` | Yes except binary | ✅ |
332
+ | Rust | `rust`, `rust-lang`, `cargo` | `binary`, `Cargo.toml`, `Cargo.lock` | Only for `Cargo.lock` | - |
333
+ | Ruby | `ruby`, `gems` | `Gemfile.lock`, `gemspec` | Only for `Gemfile.lock` | - |
334
+ | .NET (#C) | `csharp`, `netcore`, `dotnet`, `vb`, `dotnet-framework` | `.csproj`, `.vbproj`, `.fsproj`, `packages.config`, `project.assets.json` [3], `packages.lock.json`, `.nupkg`, `paket.lock`, `binary` | Only for `project.assets.json`, `packages.lock.json`, `paket.lock` | - |
335
+ | Dart | `dart`, `flutter`, `pub` | `pubspec.lock`, `pubspec.yaml` | Only for `pubspec.lock` | - |
336
+ | Haskell | `haskell`, `hackage`, `cabal` | `cabal.project.freeze` | Yes | |
337
+ | Elixir | `elixir`, `hex`, `mix` | `mix.lock` | Yes | - |
338
+ | C++ | `c`, `cpp`, `c++`, `conan` | `conan.lock`, `conanfile.txt`, `\*.cmake`, `CMakeLists.txt`, `meson.build`, codebase without package managers! | Yes only for `conan.lock`. Best effort basis for `cmake` without version numbers. | ✅ |
339
+ | Clojure | `clojure`, `edn`, `clj`, `leiningen` | `deps.edn`, `project.clj` | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | - |
340
+ | GitHub Actions | `github`, `actions` | `.github/workflows/\*.yml` | n/a | ✅ |
341
+ | Operation System (OS) | `os`, `osquery`, `windows`, `linux`, `mac`, `macos`, `darwin` |
342
+ | Jenkins Plugins | `jenkins` | `.hpi files` | - | ✅ |
343
+ | Helm | `helm`, `charts` | `.yaml` | n/a | |
344
+ | Helm (Cache) | `helm-index`, `helm-repo` | `$HOME/.cache/helm/repository/\*\*/\*.yaml` | - | - |
345
+ | Container | `universal`, `containerfile`, `docker-compose`, `dockerfile`, `swarm`, `tekton`, `kustomize`, `operator`, `skaffold`, `kubernetes`, `openshift`, `yaml-manifest` | `.yaml`, `docker-compose\*.yml`, `*Dockerfile*`, `*Containerfile*`, `bitbucket-pipelines.yml` | n/a | - |
346
+ | Google Cloud Build | `cloudbuild` | `cloudbuild.yaml` | n/a | - |
347
+ | Swift (iOS) | `swift` | `Package.resolved`, `Package.swift` (swiftpm) | Yes | - |
348
+ | Binary | `binary`, `blint` |
349
+ | Open API | Open API Specification, Swagger | `openapi\*.json`, `openapi\*.yaml` | n/a | - |
341
350
 
342
351
  ## Reachability analysis
343
352
 
@@ -380,6 +389,30 @@ The following environment variables can be used to customize the behavior.
380
389
  - VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
381
390
  - VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbgz:v5
382
391
  - USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database. Default download url: ghcr.io/appthreat/vdb-10y:v5
392
+ - VDB_APP_ONLY - Set to true to use a special app-only vulnerability database. Default download url: ghcr.io/appthreat/vdbgz-app:v5
393
+
394
+ Example 1 - Run depscan with app-only vdb.
395
+
396
+ ```shell
397
+ docker run --rm \
398
+ -e VDB_HOME=/db \
399
+ -e VDB_APP_ONLY=true \
400
+ -e SCAN_DEBUG_MODE=debug \
401
+ -v /tmp:/db \
402
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
403
+ ```
404
+
405
+ Example 2 - Run depscan with a larger 10 year app-only vdb.
406
+
407
+ ```shell
408
+ docker run --rm \
409
+ -e VDB_HOME=/db \
410
+ -e VDB_APP_ONLY=true \
411
+ -e USE_VDB_10Y=true \
412
+ -e SCAN_DEBUG_MODE=debug \
413
+ -v /tmp:/db \
414
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
415
+ ```
383
416
 
384
417
  ## GitHub Security Advisory
385
418
 
@@ -521,7 +554,7 @@ The objects available are taken from the CycloneDX \*.vdr.json BOM file generate
521
554
  `pkg_group_rows` - List of vulnerability id and the dependency tree prioritized by depscan.
522
555
 
523
556
  Furthermore, insights are imaginable to be made available to the template, please reach out or contribute on demand.
524
- We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
557
+ We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates).
525
558
 
526
559
  ## Performance tuning
527
560
 
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/requires.txt RENAMED
@@ -1,4 +1,4 @@
1
- appthreat-vulnerability-db==5.7.5
1
+ appthreat-vulnerability-db==5.8.1
2
2
  defusedxml
3
3
  oras~=0.1.26
4
4
  PyYAML
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/pyproject.toml RENAMED
@@ -1,12 +1,12 @@
1
1
  [project]
2
2
  name = "owasp-depscan"
3
- version = "5.4.7"
3
+ version = "5.5.0"
4
4
  description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
5
5
  authors = [
6
6
  {name = "Team AppThreat", email = "cloud@appthreat.com"},
7
7
  ]
8
8
  dependencies = [
9
- "appthreat-vulnerability-db==5.7.5",
9
+ "appthreat-vulnerability-db==5.8.1",
10
10
  "defusedxml",
11
11
  "oras~=0.1.26",
12
12
  "PyYAML",
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/test/test_analysis.py RENAMED
@@ -708,8 +708,7 @@ def test_cvss_to_vdr_rating():
708
708
  "severity": "HIGH",
709
709
  }
710
710
  # Test missing score and vector string
711
- assert cvss_to_vdr_rating(res) == [
712
- {'method': 'CVSSv31', 'score': 2.0, 'severity': 'high'}]
711
+ assert cvss_to_vdr_rating(res) == []
713
712
  # Test parsing
714
713
  res["cvss_v3"]["vector_string"] = ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I"
715
714
  ":N/A:H")
@@ -729,6 +728,24 @@ def test_cvss_to_vdr_rating():
729
728
  'severity': 'high',
730
729
  'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'
731
730
  }]
731
+ assert cvss_to_vdr_rating({
732
+ "cvss_v3": {
733
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"
734
+ },
735
+ "cvss4_vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"
736
+ }) == [{
737
+ 'method': 'CVSSv4',
738
+ 'score': 7.9,
739
+ 'severity': 'high',
740
+ 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H'
741
+ },
742
+ {
743
+ 'method': 'CVSSv31',
744
+ 'score': 10.0,
745
+ 'severity': 'critical',
746
+ 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'
747
+ }
748
+ ]
732
749
 
733
750
 
734
751
  def test_get_version_range():
{owasp_depscan-5.4.7 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mpl-2.0.txt RENAMED
@@ -393,7 +393,7 @@ Exhibit A - Source Code Form License Notice
393
393
 
394
394
  This Source Code Form is subject to the terms of the Mozilla Public
395
395
  License, v. 2.0. If a copy of the MPL was not distributed with this
396
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
396
+ file, You can obtain one at https://mozilla.org/MPL/2.0/.
397
397
 
398
398
  If it is not possible or desirable to put the notice in a particular
399
399
  file, then You may include the notice in a location (such as a LICENSE