GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → AppThreat → dep-scan

AppThreat / dep-scan

Licence: MIT, Unknown licenses found Licenses found MIT LICENSE Unknown license-data.sh
Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI and Google CloudBuild. No server required!

Programming Languages

python
139335 projects - #7 most used programming language
Dockerfile
14818 projects
shell
77523 projects

Labels

dockersecurity-auditcontainersdependency-analysisvexcompliancecvescavulnerability-scannerssecurity-toolsdevsecopssbomcyclonedxrisk-auditdependency-audit

Projects that are alternatives of or similar to dep-scan

lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
Stars: ✭ 1,261 (+264.45%)
Mutual labels:  dependency-analysis, compliance, devsecops, sbom
Sbt Dependency Check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
Stars: ✭ 187 (-45.95%)
Mutual labels:  security-audit, cve, vulnerability-scanners, devsecops
Faraday
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
Stars: ✭ 3,198 (+824.28%)
Mutual labels:  security-audit, cve, vulnerability-scanners, devsecops
Lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Stars: ✭ 9,137 (+2540.75%)
Mutual labels:  security-audit, compliance, vulnerability-scanners
Hellraiser
Vulnerability scanner using Nmap for scanning and correlating found CPEs with CVEs.
Stars: ✭ 413 (+19.36%)
Mutual labels:  security-audit, cve, vulnerability-scanners
cyclonedx-cli
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
Stars: ✭ 154 (-55.49%)
Mutual labels:  vex, sbom, cyclonedx
cyclonedx-python
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
Stars: ✭ 78 (-77.46%)
Mutual labels:  vex, sbom, cyclonedx
Purify
All-in-one tool for managing vulnerability reports from AppSec pipelines
Stars: ✭ 72 (-79.19%)
Mutual labels:  security-audit, vulnerability-scanners, devsecops
cyclonedx-php-composer
Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
Stars: ✭ 20 (-94.22%)
Mutual labels:  vex, sbom, cyclonedx
cyclonedx-maven-plugin
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Stars: ✭ 103 (-70.23%)
Mutual labels:  vex, sbom, cyclonedx
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+2225.43%)
Mutual labels:  security-audit, compliance, devsecops
ochrona-cli
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
Stars: ✭ 46 (-86.71%)
Mutual labels:  dependency-analysis, vulnerability-scanners, devsecops
Tfsec
Security scanner for your Terraform code
Stars: ✭ 3,622 (+946.82%)
Mutual labels:  compliance, vulnerability-scanners, devsecops
cdxgen
Creates CycloneDX Software Bill-of-Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI//CD pipeline with automatic submission to Dependency Track server.
Stars: ✭ 75 (-78.32%)
Mutual labels:  sca, sbom, cyclonedx
cyclonedx-dotnet
Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
Stars: ✭ 110 (-68.21%)
Mutual labels:  vex, sbom, cyclonedx
specification
Software Bill of Material (SBOM) standard designed for use in application security contexts and supply chain component analysis
Stars: ✭ 129 (-62.72%)
Mutual labels:  vex, sbom, cyclonedx
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+1218.21%)
Mutual labels:  security-audit, compliance, devsecops
Kube Scan
kube-scan: Octarine k8s cluster risk assessment tool
Stars: ✭ 566 (+63.58%)
Mutual labels:  security-audit, devsecops
Jok3r
Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework
Stars: ✭ 645 (+86.42%)
Mutual labels:  security-audit, vulnerability-scanners
Securitymanageframwork
Security Manage Framwork is a security management platform for enterprise intranet, which includes asset management, vulnerability management, account management, knowledge base management, security scanning automation function modules, and can be used for internal security management. This platform is designed to help Party A with fewer security personnel, complicated business lines, difficult periodic inspection and low automation to better achieve internal safety management.
Stars: ✭ 378 (+9.25%)
Mutual labels:  security-audit, vulnerability-scanners
View All Similar Projects ➔

Introduction

dep-scan is a fully open-source security audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for CI environments with built-in build-breaker logic.

Depscan logo

Features

  • Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
  • Package vulnerability scanning is performed locally and is quite fast. No server is used!
  • Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information
  • Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)

Depscan insights

Vulnerability Data sources

  • OSV
  • NVD
  • GitHub
  • NPM
  • Linux vuln-list (Use --cache-os)

Linux distros

  • AlmaLinux
  • Debian
  • Alpine
  • Amazon Linux
  • Arch Linux
  • RHEL/CentOS
  • Rocky Linux
  • Ubuntu
  • OpenSUSE/SLES
  • Photon

Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with --cache-os for the first time. dep-scan would also download the appropriate database based on project type automatically.

Usage

dep-scan is ideal for use during continuous integration (CI) and as a local development tool.

OCI Artifacts via ORAS cli

Use ORAS cli to download the dep-scan binary and the vulnerability database for effortless integration. Example workflow is here.

export VDB_HOME=depscan
mkdir -p $VDB_HOME
oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
oras pull ghcr.io/appthreat/depscan:v4 -o $VDB_HOME

Single binary executables

Download the executable binary for your operating system from the releases page. These binary bundle the following:

  • dep-scan with Python 3.10
  • cdxgen with Node.js 18
  • cdxgen binary plugins
curl -LO https://github.com/appthreat/depscan-bin/releases/download/v3.5.1/depscan-linux-amd64
chmod +x depscan-linux-amd64
./depscan-linux-amd64 --help

On Windows,

curl -LO https://github.com/appthreat/depscan-bin/releases/download/v3.5.1/depscan.exe
.\depscan.exe --help

Server mode

dep-scan and cdxgen could be run in server mode. Use the included docker compose file to get started.

git clone https://github.com/AppThreat/dep-scan
docker compose up
depscan --server --server-host 0.0.0.0 --server-port 7070

In server mode, use /cache endpoint to cache the vulnerability database.

# This would take over 5 minutes
curl http://0.0.0.0:7070/cache

Cache all vulnerabilities including os.

# This would take over 5 minutes
curl http://0.0.0.0:7070/cache?os=true

Use the /scan endpoint to perform scans.

curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vex.json

Use with ShiftLeft Scan

dep-scan is integrated with scan, a free and open-source SAST tool. To enable this feature simply pass depscan to the --type argument. Refer to the scan documentation for more information.

---
--type python,depscan,credscan

This approach should work for all CI environments supported by scan.

Scanning projects locally (Python version)

sudo npm install -g @cyclonedx/cdxgen
pip install appthreat-depscan

This would install two commands called cdxgen and scan.

You can invoke the scan command directly with the various options.

cd <project to scan>
depscan --src $PWD --reports-dir $PWD/reports

Full list of options are below:

usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
              [--reports-dir REPORTS_DIR] [--no-error] [--deep]
  -h, --help            show this help message and exit
  --no-banner           Do not display banner
  --cache               Cache vulnerability information in platform specific user_data_dir
  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
  --risk-audit          Perform package risk audit (slow operation). Npm only.
  --private-ns PRIVATE_NS
                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma
                        separated values accepted.
  -t PROJECT_TYPE, --type PROJECT_TYPE
                        Override project type if auto-detection is incorrect
  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
  -i SRC_DIR, --src SRC_DIR
                        Source directory
  --reports-dir REPORTS_DIR
                        Reports directory
  --no-error            Continue on error to prevent build from breaking
  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
  --threatdb-server THREATDB_SERVER
                        ThreatDB server url. Eg: https://api.sbom.cx
  --threatdb-username THREATDB_USERNAME
                        ThreatDB username
  --threatdb-password THREATDB_PASSWORD
                        ThreatDB password
  --threatdb-token THREATDB_TOKEN
                        ThreatDB token for token based submission
  --privado-json PRIVADO_JSON
                        Enrich the VEX report with information from privado.ai json report.

Scanning containers locally (Python version)

Scan latest tag of the container shiftleft/scan-slim

depscan --no-error --cache --src shiftleft/scan-slim -o containertests/depscan-scan.json -t docker

Include license to the type to perform license audit.

depscan --no-error --cache --src shiftleft/scan-slim -o containertests/depscan-scan.json -t docker,license

You can also specify the image using the sha256 digest

depscan --no-error --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker

You can also save container images using docker or podman save command and pass the archive to depscan for scanning.

docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest
# podman save --format oci-archive -o /tmp/scanslim.tar shiftleft/scan-slim:latest
depscan --no-error --src /tmp/scanslim.tar -o reports/depscan-scan.json -t docker

Refer to the docker tests under GitHub action workflow for this repo for more examples.

Scanning projects locally (Docker container)

ghcr.io/appthreat/dep-scan or public.ecr.aws/appthreat/dep-scan:latest container image can be used to perform the scan.

To scan with default settings

docker run --rm -v $PWD:/app ghcr.io/appthreat/dep-scan scan --src /app --reports-dir /app/reports

Using AWS public ECR image

docker run --rm -v $PWD:/app public.ecr.aws/appthreat/dep-scan scan --src /app --reports-dir /app/reports

To scan with custom environment variables based configuration

docker run --rm \
    -e VDB_HOME=/db \
    -e NVD_START_YEAR=2010 \
    -e GITHUB_PAGE_COUNT=5 \
    -e GITHUB_TOKEN=<token> \
    -v /tmp:/db \
    -v $PWD:/app ghcr.io/appthreat/dep-scan scan --src /app --reports-dir /app/reports

In the above example, /tmp is mounted as /db into the container. This directory is then specified as VDB_HOME for caching the vulnerability information. This way the database can be cached and reused to improve performance.

Supported languages and package format

dep-scan uses cdxgen command internally to create Software Bill-of-Materials (SBoM) file for the project. This is then used for performing the scans.

The following projects and package-dependency format is supported by cdxgen.

Language Package format
node.js package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js
java maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel
php composer.lock
python setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info
go binary, go.mod, go.sum, Gopkg.lock
ruby Gemfile.lock, gemspec
rust binary, Cargo.toml, Cargo.lock
.Net .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg
dart pubspec.lock, pubspec.yaml
haskell cabal.project.freeze
elixir mix.lock
c/c++ conan.lock, conanfile.txt
clojure Clojure CLI (deps.edn), Leiningen (project.clj)
docker / oci image All supported languages and Linux OS packages
GitHub Actions Workflows .github/workflows/*.yml
Jenkins Plugins .hpi files
YAML manifests docker-compose, kubernetes, kustomization, skaffold, tekton etc

NOTE

The docker image for dep-scan currently doesn't bundle suitable java and maven commands required for bom generation. To workaround this limitation, you can -

  1. Use python-based execution from a VM containing the correct versions for java, maven and gradle.
  2. Generate the bom file by invoking cdxgen command locally and subsequently passing this to dep-scan via the --bom argument.

Integration with CI environments

Integration with Azure DevOps

Refer to this example yaml configuration for integrating dep-scan with Azure Pipelines. The build step would perform the scan and display the report inline as shown below:

Azure DevOps integration

Integration with GitHub Actions

This tool can be used with GitHub Actions using this action.

This repo self-tests itself with both sast-scan and dep-scan! Check the GitHub workflow file of this repo.

- name: Self dep-scan
  uses: AppThreat/dep-scan-action@master
  env:
    VDB_HOME: ${{ github.workspace }}/db
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Customization through environment variables

The following environment variables can be used to customise the behaviour.

  • VDB_HOME - Directory to use for caching database. For docker based execution, this directory should get mounted as a volume from the host
  • NVD_START_YEAR - Default: 2018. Supports upto 2002
  • GITHUB_PAGE_COUNT - Default: 2. Supports upto 20

GitHub Security Advisory

To download security advisories from GitHub, a personal access token with the following scope is necessary.

  • read:packages
export GITHUB_TOKEN="<PAT token>"

Suggest mode

Fix version for each vulnerability is retrieved from the sources. Sometimes, there might be known vulnerabilities in the fix version reported. Eg: in the below screenshot the fix versions suggested for jackson-databind might contain known vulnerabilities.

Normal mode

By passing an argument --suggest it is possible to force depscan to recheck the fix suggestions. This way the suggestion becomes more optimal for a given package group.

Suggest mode

Notice, how the new suggested version is 2.9.10.5 which is an optimal fix version. Please note that the optimal fix version may not be the appropriate version for your application based on compatibility.

Package Risk audit

--risk-audit argument enables package risk audit. Currently, only npm and pypi packages are supported in this mode. A number of risk factors are identified and assigned weights to compute a final risk score. Packages that then exceed a maximum risk score (config.pkg_max_risk_score) are presented in a table.

Use --private-ns to specify the private package namespace that should be checked for dependency confusion type issues where a private package is available on public npm/pypi registry.

For example, to check if private packages with namespaces @appthreat and @shiftleft are not accidentally made public, use the below argument.

--private-ns appthreat,shiftleft
Risk category Default Weight Reason
pkg_private_on_public_registry 4 Private package is available on a public registry
pkg_min_versions 2 Packages with less than 3 versions represent an extreme where they could be either super stable or quite recent. Special heuristics are applied to ignore older stable packages
mod_create_min_seconds 1 Less than 12 hours difference between modified and creation time. This indicates that the upload had a defect that had to be rectified immediately. Sometimes, such a rapid update could also be malicious
latest_now_min_seconds 0.5 Less than 12 hours difference between the latest version and the current time. Depending on the package such a latest version may or may not be desirable
latest_now_max_seconds 0.5 Package versions that are over 6 years old are in use. Such packages might have vulnerable dependencies that are known or yet to be found
pkg_min_maintainers 2 Package has less than 2 maintainers. Many opensource projects have only 1 or 2 maintainers so special heuristics are used to ignore older stable packages
pkg_min_users 0.25 Package has less than 2 npm users
pkg_install_scripts 2 Package runs a custom pre or post installation scripts. This is often malicious and a downside of npm.
pkg_node_version 0.5 Package supports outdated version of node such as 0.8, 0.10, 4 or 6.x. Such projects might have prototype pollution or closure related vulnerabilities
pkg_scope 4 or 0.5 Packages that are used directly in the application (required scope) gets a score with a weight of 4. Optional packages get a score of 0.25
deprecated 1 Latest version is deprecated

Refer to pkg_query.py::get_category_score method for the risk formula.

Automatic adjustment

A parameter called created_now_quarantine_seconds is used to identify packages that are safely past the quarantine period (1 year). Certain risks such as pkg_min_versions and pkg_min_maintainers are suppressed for packages past the quarantine period. This adjustment helps reduce noise since it is unlikely that a malicious package can exist in a registry unnoticed for over a year.

Configuring weights

All parameters can be customized by using environment variables. For eg:

export PKG_MIN_VERSIONS=4 to increase and set the minimum versions category to 4.

Live OS scan

By passing -t os, depscan can generate an SBoM for a live operating system or a VM with OS packages and kernel information. Optionally, pass the argument --deep to generate an SBoM with both OS and application packages and to check for application vulnerabilities.

All OS packages.

depscan -t os -i . -o reports/depscan.json

All OS and application packages.

depscan -t os --deep -i . -o reports/depscan.json

License scan

dep-scan can scan the dependencies for any license limitations and report them directly on the console log. To enable license scanning set the environment variable FETCH_LICENSE to true.

export FETCH_LICENSE=true

The license data is sourced from choosealicense.com and is quite limited. If the license of a given package cannot be reliably matched against this list it will get silently ignored to reduce any noise. This behavior could change in the future once the detection logic gets improved.

License scan

Kubernetes and Cloud apps

dep-scan could auto-detect most cloud applications and Kubernetes manifest files. Pass the argument -t yaml-manifest to manually specify the type.

Alternatives

Dependency Check is considered the industry standard for open-source dependency scanning. After personally using this great product for many years, I decided to write my own from scratch, partly as a dedication to this project. By using a streaming database based on msgpack and using JSON schema, dep-scan is more performant than dependency check in CI environments. Plus, with support for GitHub advisory source and grafeas report export and submission, dep-scan is on track to become a next-generation dependency audit tool.

Several other tools piggyback on Sonatype ossindex API server. For some reason, I always felt uncomfortable letting a commercial company track the usage of various projects worldwide. dep-scan is, therefore, 100% private and guarantees never to perform any tracking!

Trivy, grype etc

These mature projects are considered the benchmark for container, filesystem and registry scanning. dep-scan is yet to be benchmarked against these projects for results and performance. dep-scan even uses Trivy for container SBoM generation via cdxgen-binary-plugins, although this would change in the future. I aspire to make dep-scan outperform these projects with simplicity and actionable results. The CVE insights offered by dep-scan could be used for prioritization to reduce the number of package updates and container rebuilds.

Discord support

The developers could be reached via the discord channel.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].