Time to look at open-source dependency scanning

[prabhu]

Now that SAST scanning is sufficiently mature and stable, it's time to look at open-source dependency scanning.

Our sast-scan container images already bundles a number of dependency scanning tools such as dependency-check, retire.js, ossaudit and so on. They operate differently and produce reports in their formats.

Some challenges that need to be solved:

• Dependency-check (and the likes of trivy) is downloading all the CVE/NVD data each time for each run. Because of the added complexity with our container-based execution, effort is required to cache such data and mount the volume to the docker image and so on. Over a http proxy this would incur additional penalty. I am going to look at the pros and cons of splitting our container image into a separate sast-scan and oss-scan image
• Tools such as retire.js, ossaudit and so on use the oss sonatype backend which requires a separate API key to make it usable. Currently, we are not requesting and injecting this api key. I want to spend time figuring out a way to do an efficient oss scan that neither involves downloading all the data nor requires a proprietary database such as sonatype!
• Investigate and identify a common format to represent dependency vulnerabilities. Strong contender is grafeas

[prabhu]

Preview of dep-scan is now available. It works although there are a number of false positives. Over the next few weeks I will be testing dep-scan against other popular scanning tools to identify and resolve the issues.

I think it is time to deprecate and eventually remove the various oss scanning tools that are bundled into sast-scan. The following packages could be removed to save some space:

• dependency-check
• retire.js
• ossaudit

[prabhu]

dep-scan is now fully integrated into sast-scan. Simple add depscan to the --type parameter as shown here. Should work for all CI environments.