Closed sprathod369 closed 1 year ago
prabhu
commented
2 years ago @sprathod369 Thank you for raising this issue. Ideally, the two images must be identical, but it looks like the build has started failing, so the images could be different.
https://dev.azure.com/shiftleftsecurity/sl-appthreat/_build?definitionId=11
You can set the environment variable SCAN_DEBUG_MODE=debug to see the underlying errors. I'm suspecting they are packaging different version of dep-scan
sprathod369
commented
2 years ago Thanks you @prabhu - appreciate your inputs. I did try to set the environment variable SCAN_DEBUG_MODE=debug but did not find anything highlighting the version of dep-scan (or versions of the scan tool tself or any of the integrated tool versions in use e.g checkov etc). This may possibly be an underlying error with "sast-scan" image
For now, it seems the "scan" image may be better off Vs the "sast-scan" image for now. Thanks again!!
prabhu
commented
2 years ago @sprathod369 This looks like a bug in https://github.com/AppThreat/vulnerability-db/. Could you help me by trying to replicate it there and file a bug in that repo with your observation?
prabhu
commented
1 year ago @sprathod369 are you still seeing this issue?
sprathod369
commented
1 year ago No longer an issue when I last checked a couple of weeks back.
Hi, I happen to explore this tool and found it pretty useful and intersting. One quick question I had regarding the 2 docker images I see "san" and "sast-scan" 1) shiftleft/scan 2) shiftleft/sast-scan
I did not find anything different browsing through the image layers in hub.docker.com. However when I ran the analysis using "scan" image and the "sast-scan" image against the same code repository, same branch I got a slightly different result showing severity summary for dependency Scan. What am I missing here ? Any inputs / clarifications will help.
using shiftleft/scan image
using shiftleft/sast-scan image
Thanks