search

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
788 stars 112 forks source link

Command exited with non-zero status 1 #358

Open farrukhnajmi opened 2 years ago

farrukhnajmi commented 2 years ago

Thanks for a great OSS SAST tool.

I am using slscan using the following command on gradle multi-module project with most ly kotlin code and soem terraform code:

env ENABLE_OSS_RISK=true time sh <(curl https://slscan.sh)

On running above command on earlier versions of my code I was getting OSS Risk audit results. After I fixed several issues including fixing OSS Risk audit issues I am now getting slscan to crash probably while doing the OSS Risk audit scan.

Note: I run slscan after building entire gradle project.

The following is output from the slscan (see last 3 lines):

` env ENABLE_OSS_RISK=true time sh <(curl https://slscan.sh) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 299 100 299 0 0 126 0 0:00:02 0:00:02 --:--:-- 126

███████╗ ██████╗ █████╗ ███╗ ██╗ ██╔════╝██╔════╝██╔══██╗████╗ ██║ ███████╗██║ ███████║██╔██╗ ██║ ╚════██║██║ ██╔══██║██║╚██╗██║ ███████║╚██████╗██║ ██║██║ ╚████║ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝

[18:02:28] INFO Scanning /app using plugins ['credscan', 'kotlin', 'nodejs', 'terraform', 'yaml', 'depscan']

Build failed with 18 weighted issues.

[18:05:42] INFO Suppressed 7 issues
╭──────────────────────── New Feature ────────────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯

[18:08:27] INFO Baseline file written to /app/reports/.sastscan.baseline
Security Scan Summary
╔═══════════════════════════════════╤══════════╤══════╤════════╤═════╤════════╗ ║ Tool │ Critical │ High │ Medium │ Low │ Status ║ ╟───────────────────────────────────┼──────────┼──────┼────────┼─────┼────────╢ ║ Kotlin Static Analysis │ 0 │ 0 │ 16 │ 0 │ ❌ ║ ║ Security Audit for Infrastructure │ 0 │ 0 │ 0 │ 0 │ ✅ ║ ║ Secrets Audit │ 0 │ 1 │ 0 │ 0 │ ❌ ║ ║ Kotlin Security Audit │ 0 │ 0 │ 0 │ 0 │ ✅ ║ ╚═══════════════════════════════════╧══════════╧══════╧════════╧═════╧════════╝ Command exited with non-zero status 1 0.07user 0.05system 6:08.01elapsed 0%CPU (0avgtext+0avgdata 61708maxresident)k 8inputs+0outputs (0major+7531minor)pagefaults 0swaps `

Is this a known issue? If so, is there a workaround so I can get the OSS Risk audit report?

prabhu commented 2 years ago

@farrukhnajmi The oss risk audit is powered by dep-scan

https://github.com/AppThreat/dep-scan

Can you try running dep-scan directly to see what is going on?