Closed erichs closed 3 years ago
When cdxgen throws, only an empty-scan-report.sarif
file is generated.
@erichs This is an interesting idea. dep-scan already supports scanning based on an existing bom file - https://github.com/AppThreat/dep-scan/blob/master/depscan/cli.py#L95
So a .sastscanrc file like below would work assuming a bom.json exists in src directory.
{
"depscan": [
"/usr/local/bin/depscan",
"--no-banner",
"--suggest",
"--src",
"%(src)s",
"--bom",
"%(src)s/bom.json",
"--report_file",
"%(report_fname_prefix)s.json"
]
}
Wow, I missed that. Perfect. Thanks also for the .sastscanrc
example!
There are a couple of cases where this can be helpful:
It would be really great to pass a path to a BOM.xml or BOM.json file via args or
.sastscanrc
, and have it skip thebomgen
step for that run.