search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
982 stars 96 forks source link

Support for suppression #110

Open prabhu opened 1 year ago

prabhu commented 1 year ago

A tool like dep-scan inevitably produces false positives due to aliasing and SBoM generation lifecycle.

While tools like trivy offer ignore files and rego policies to support advanced filtering, depscan could offer a toml based solution instead.

Regarding file naming and folder structure, it might be wise to adopt dot-config instead of spoiling the root folders of every repo.

https://dot-config.github.io

So suppression lists could be kept under .config/depscan/*.toml with an optional --config-dir to override this directory for integration use cases.

cerrussell commented 1 year ago

@prabhu Is there a purpose for the depscan folder under .config since dot-config is talking about a .config directory at the repository level?

To clarify the --config-dir option, should this be to not use a suppression list or do you mean an alternative toml path to load?