OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration with ASPM/VM platforms and in CI environments.
- Features
- Quick Start
- Documentation (depscan.readthedocs.io)
- License
- Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
- Perform advanced reachability analysis for multiple languages (See reachability analysis)
- Package vulnerability scanning is performed locally and is quite fast. No server is used!
- Generate Software Bill-of-Materials (SBOM) with Vulnerability Disclosure Report (VDR) information
- Generate a Common Security Advisory Framework (CSAF) 2.0 VEX document (check out the CSAF Readme)
- Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)
- OSV
- NVD
- GitHub
- NPM
- Linux vuln-list
- AlmaLinux
- Debian
- Alpine
- Amazon Linux
- Arch Linux
- RHEL/CentOS
- Rocky Linux
- Ubuntu
- OpenSUSE/SLES
- Photon
- Chainguard
- Wolfi OS
Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
sudo npm install -g @cyclonedx/cdxgen
# Normal version recommended for most users (MIT)
pip install owasp-depscan
# For a performant version, that uses valkey cache during risk audit (BSD-3-Clause)
pip install owasp-depscan[perf]This would install two commands called cdxgen and depscan.
You can invoke the scan command directly with the various options.
cd <project to scan>
depscan --src $PWD --reports-dir $PWD/reportsThe full list of options is below:
usage: cli.py [-h] [--no-banner] [] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM]
[-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--report-template REPORT_TEMPLATE] [--report-name REPORT_NAME] [--no-error] [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
[--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT]
[--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
options:
-h, --help show this help message and exit
--no-banner Do not display banner
Cache vulnerability information in platform specific user_data_dir
--csaf Generate a OASIS CSAF VEX document
--sync Sync to receive the latest vulnerability data. Should have invoked cache first.
--profile {appsec,research,operational,threat-modeling,license-compliance,generic}
Profile to use while generating the BOM.
--no-suggest Disable suggest mode
--risk-audit Perform package risk audit (slow operation). Npm only.
--private-ns PRIVATE_NS
Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
-t PROJECT_TYPE, --type PROJECT_TYPE
Override project type if auto-detection is incorrect
--bom BOM Examine using the given Software Bill-of-Materials (SBOM) file in CycloneDX format. Use cdxgen command to produce one.
-i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
Source directory or container image or binary file
-o REPORT_FILE, --report_file REPORT_FILE
DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
--reports-dir REPORTS_DIR
Reports directory
--report-template REPORT_TEMPLATE
Jinja template file used for rendering a custom report
--report-name REPORT_NAME
Filename of the custom report written to the --reports-dir
--no-error UNUSED: Continue on error to prevent build from breaking
--no-license-scan UNUSED: dep-scan doesn't perform license scanning by default
--deep Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
--no-universal Depscan would attempt to perform a single universal scan instead of individual scans per language type.
--no-vuln-table Do not print the table with the full list of vulnerabilities. This can help reduce console output.
--threatdb-server THREATDB_SERVER
ThreatDB server url. Eg: https://api.sbom.cx
--threatdb-username THREATDB_USERNAME
ThreatDB username
--threatdb-password THREATDB_PASSWORD
ThreatDB password
--threatdb-token THREATDB_TOKEN
ThreatDB token for token based submission
--server Run depscan as a server
--server-host SERVER_HOST
depscan server host
--server-port SERVER_PORT
depscan server port
--cdxgen-server CDXGEN_SERVER
cdxgen server url. Eg: http://cdxgen:9090
--debug Run depscan in debug mode.
--explain Makes depscan to explain the various analysis. Useful for creating detailed reports.
--reachables-slices-file REACHABLES_SLICES_FILE
Path for the reachables slices file created by atom.
--purl SEARCH_PURL Scan a single package url.
-v, --version Display the versionScan a Java project.
depscan --src <path> -o containertests/depscan-scan.json -t javaScan latest tag of the container shiftleft/scan-slim
depscan --src shiftleft/scan-slim -o containertests/depscan-scan.json -t dockerInclude license to the type to perform the license audit.
depscan --src shiftleft/scan-slim -o containertests/depscan-scan.json -t docker,licenseYou can also specify the image using the sha256 digest
depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t dockerYou can also save container images using docker or podman save command and pass the archive to depscan for scanning.
docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest
# podman save --format oci-archive -o /tmp/scanslim.tar shiftleft/scan-slim:latest
depscan --src /tmp/scanslim.tar -o reports/depscan-scan.json -t dockerRefer to the docker tests under the GitHub action workflow for this repo for more examples.
ghcr.io/owasp-dep-scan/dep-scan container image can be used to perform the scan.
To scan with default settings
docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reportsTo scan with custom environment variables based configuration
docker run --rm \
-e VDB_HOME=/db \
-e GITHUB_TOKEN=<token> \
-v /tmp:/db \
-v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reportsIn the above example, /tmp is mounted as /db into the container. This directory is then specified as VDB_HOME for caching the vulnerability information. This way the database can be cached and reused to improve performance.
dep-scan and cdxgen could be run in server mode. Use the included docker-compose file to get started.
git clone https://github.com/owasp-dep-scan/dep-scan
docker compose updepscan --server --server-host 0.0.0.0 --server-port 7070In server mode, use /cache endpoint to cache the vulnerability database.
# This would take over 5 minutes
curl http://0.0.0.0:7070/cacheUse the /scan endpoint to perform scans.
Note
The type parameter is mandatory in server mode.
- Scanning a local directory. Scanning an SBOM file (present locally).
curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan- Scanning a GitHub repo.
curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json- Uploading an SBOM file and generating results based on it.
curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=jsMIT License
This project was donated to the OWASP Foundation in August 2023 by AppThreat Ltd.
This project is funded through NGI Zero Core, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.
