Open stevesea opened 4 years ago
@stevesea Thanks for reporting this. Few tools such as credscan, python taint do not produce the file with empty results. But agree it will be nice to make it consistent. I will take a look at this. Glad you found the DEBUG_MODE flag. It helps hide the crashes from everyday scans but agree will make the initial diagnosis quite hard.
@stevesea I will begin work on this requirement this week since this will help implement build breaker support for depscan as well. Meanwhile, as a workaround look for the presence of bom.json file. This file should always get produced with a full list of all oss dependencies. In an ideal world, this file would have also included the vulnerabilities information as well as per cyclonedx specification. When I started building depscan, Google's grafeas project was all craze so I started producing depscan results in grafeas format hoping that users would import results with a standard like SARIF. But looks like grafeas has gone silent (dead?) over time.
If I run sast-scan on my project:
I see output like:
But, the /app/reports/depscan-report.json file is not created. Many of the other tools within sast-scan seem to still generate a report if no vulnerabilities are found.
Prior to setting
SCAN_DEBUG_MODE=debug
, I didn't get any indication from sast-scan output depscan ran and didn't find any issues.