search

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
790 stars 110 forks source link

no depscan report generated if no vulnerabilities are found #168

Open stevesea opened 4 years ago

stevesea commented 4 years ago

If I run sast-scan on my project:

docker run --rm \
    -e "SCAN_DEBUG_MODE=debug" \
    -e "VDB_HOME=/db" \
    -e "GITHUB_TOKEN=${GITHUB_TOKEN}" \
    -e "WORKSPACE=${PWD}" \
    -v /tmp/vuln:/db -v ~/.m2:/.m2 -v $(pwd):/app \
    shiftleft/sast-scan \
    scan --src /app --out_dir /app/reports --type java,kotlin,depscan

I see output like: 

           DEBUG    ⚡︎ Executing depscan "/usr/local/bin/depscan --no-banner --suggest --src /app --report_file                             
                    /app/reports/depscan-report.json"                                                                                
DEBUG [2020-08-19 19:18:33,051] Vulnerability database loaded from /db/data.vdb
DEBUG [2020-08-19 19:18:35,762] Vulnerability database contains 428485 records
INFO [2020-08-19 19:18:35,762] Performing regular scan for /app using plugin java
INFO [2020-08-19 19:18:35,762] Scanning 7 oss dependencies for issues 
INFO [2020-08-19 19:19:14,159] No oss vulnerabilities detected ✅

But, the /app/reports/depscan-report.json file is not created. Many of the other tools within sast-scan seem to still generate a report if no vulnerabilities are found.

Prior to setting SCAN_DEBUG_MODE=debug, I didn't get any indication from sast-scan output depscan ran and didn't find any issues.

prabhu commented 4 years ago

@stevesea Thanks for reporting this. Few tools such as credscan, python taint do not produce the file with empty results. But agree it will be nice to make it consistent. I will take a look at this. Glad you found the DEBUG_MODE flag. It helps hide the crashes from everyday scans but agree will make the initial diagnosis quite hard.

prabhu commented 4 years ago

@stevesea I will begin work on this requirement this week since this will help implement build breaker support for depscan as well. Meanwhile, as a workaround look for the presence of bom.json file. This file should always get produced with a full list of all oss dependencies. In an ideal world, this file would have also included the vulnerabilities information as well as per cyclonedx specification. When I started building depscan, Google's grafeas project was all craze so I started producing depscan results in grafeas format hoping that users would import results with a standard like SARIF. But looks like grafeas has gone silent (dead?) over time.