OWASP dep-scan is an open-source security and risk assessment tool that leverages information on vulnerabilities, advisories, and licensing restrictions for project dependencies. It supports local repositories and container images as input sources, making it suitable for integration with ASPM/VM platforms and use in CI environments.
OWASP dep-scan features
Caroline Russell, Staff Security Engineer at AppThreat, outlines the most important features:
- Depscan utilizes cdxgen to produce Software Bill-of-Materials (SBOMs), which allows us to support many different languages and source code configurations
- It offers result exports into customizable Jinja reports as well as JSON documents in a couple of standards, including: CycloneDx Vulnerability Disclosure Report (VDR) and Common Security Advisory Framework (CSAF) 2.0
- Reachability analysis, that uses AppThreat/atom to create slices of the source code
- Deep packages risk audit for dependency confusion attacks and maintenance risks
Vulnerability data sources:
- OSV
- NVD
- GitHub
- NPM
- Linux vuln-list (Use –cache-os)
Future development and download
Russell told us that the team is working towards OWASP dep-scan 6.0 which they intend to release near the end of the year. Upcoming features include:
- A faster backend database for querying vulnerabilities
- BLint integration
- User configuration settings: pertaining to automatic updates of the backend threat database, and user-defined scan exclusions
OWASP dep-scan is available for free on GitHub.
Must read: