Consider allowing users to bring their own CycloneDX SBOM files

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

https://discord.gg/DCNxzaeUpd

Apache License 2.0

790 stars 110 forks source link

Consider allowing users to bring their own CycloneDX SBOM files #307

Closed erichs closed 3 years ago

erichs commented 3 years ago

There are a couple of cases where this can be helpful:

for whatever reason, a CycloneDX-compatible BOM file is already being generated with one of these tools
the underlying cdxgen cannot be made to work with the repo at hand

It would be really great to pass a path to a BOM.xml or BOM.json file via args or .sastscanrc, and have it skip the bomgen step for that run.

erichs commented 3 years ago

When cdxgen throws, only an empty-scan-report.sarif file is generated.

prabhu commented 3 years ago

@erichs This is an interesting idea. dep-scan already supports scanning based on an existing bom file - https://github.com/AppThreat/dep-scan/blob/master/depscan/cli.py#L95

So a .sastscanrc file like below would work assuming a bom.json exists in src directory.

{
  "depscan": [
        "/usr/local/bin/depscan",
        "--no-banner",
        "--suggest",
        "--src",
        "%(src)s",
        "--bom",
        "%(src)s/bom.json",
        "--report_file",
        "%(report_fname_prefix)s.json"
    ]
}

erichs commented 3 years ago

Wow, I missed that. Perfect. Thanks also for the .sastscanrc example!