search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://owasp.org/www-project-dep-scan/
MIT License
1.01k stars 98 forks source link

Bug: Missing JSON report when running as Dockerized #318

Open kaiorafael opened 4 months ago

kaiorafael commented 4 months ago

Expected Behavior

When Dockerized deepscan should generate the .json file as well.

Actual Behavior

When running as described in the documentation, I can find a /tmp/report-docker.json file output

depscan --src /tmp/image.tar -o /tmp/report.json -t docker

However, when Dockerized, I am not able to find the .json file report. I can only find .html and .pdf reports, instead.

Steps to Reproduce

1) git clone repository 2) build it as: docker build -t deepscan . 3) collect image inventory using cdxgen 4) Run against a SBOM file generated in 3:

docker run -v /tmp:/tmp -v $HOME/.cache:/root/.cache -e VDB_HOME=/root/.cache deepscan --bom /tmp/cdxgen2.json --reports-dir /tmp/bar -o /tmp/bar/report.json

Inside of /tmp/bar there are only the following files:

.
├── report.html
└── report.pdf

Additional Information

No response

prabhu commented 4 months ago

@kaiorafael since you invoke with --bom /tmp/cdxgen2.json, is there a file named --bom /tmp/cdxgen2.vdr.json getting generated? The reports-dir argument needs to be improved. Also note that the .json is a jsonlines formatted file which is going away in v6. So best to consume the .vdr.json file

kaiorafael commented 4 months ago

@kaiorafael since you invoke with --bom /tmp/cdxgen2.json, is there a file named --bom /tmp/cdxgen2.vdr.json getting generated?

No