OWASP dep-scan v5 released

If there is one product release that can summarize everything my colleagues and I have been working on for a whole year, it is dep-scan v5. Everything we did, from creating the atom project to adding evinse to cdxgen, is to make dep-scan v5 possible.

So, what is depscan v5?

An advanced SCA tool for everyone

dep-scan or depscan or DepScan (name unimportant) is an MIT-licensed Software Composition Analysis (SCA) tool that is purpose-built to forget. Our team got frustrated with the state of all SCA tools and decided to do something about it.

Did you know that an ideal SCA tool must be silent and not distract/prevent the developers from performing their work, which is to build features and fix bugs? It must do everything to triage, prioritize, and make results actionable for users.

The tool must explain beyond doubt why a given package needs to be updated or why a given usage of a library needs extra mitigation.

The explanation must be perfect and not based on any pseudo-science or fake exploit prediction scores.

Lastly, the tool must just work for any real-world application for both static and dynamic languages.

Private by design

Depscan performs all analyses, including reachability analysis, entirely in your build environment or CI/CD system. No SBOM or code ever leaves your premises, and there is no telemetry in the code. You can even run depscan in air-gapped environments using the container image or the pypi package. Since the project is MIT-licensed, you can feel free to bundle, integrate, and use depscan anywhere that can support Python > 3.8, Node.js >= 16, and Java >= 17.

Filled with inventions

Implementing an SCA tool that can perform precision reachability analysis entirely in a CI without access to any annotation/symbols data was an impossible task. Our team invented and open-sourced several innovations to make this possible.

• An automatic symbols tagger (based on SBOM)
• A light-weight data-flow tracker (interprocedural with both type and purl inference)
• An efficient static program slicer (constant-time performance)

Built on top of OWASP CycloneDX

dep-scan works by making heavy use of the comprehensive BOM generated by CycloneDX Generator (cdxgen). The vulnerability and exploitability results are then saved in CycloneDX VDR format, making it easy to integrate with other tools and platforms such as Dependency Track.

And one more thing

depscan is also an automated VEX machine!

What if we had a machine that could effortlessly prove and justify why a given vulnerability is NOT EXPLOITABLE? Depscan is the only tool that can work both as a VDR tool to report reachable and exploitable vulnerabilities and as a VEX tool to justify non-exploitability. VEX reports can be exported in OASIS CSAF format (Thanks, Omar Santos , for your help and encouragement!)

Thank you

Caroline Russell for single-handedly taking care of all of depscan. This is your product!

Saket Jajoo , for your ORAS and filesystem expertise. Your work is so perfect that none of our users would even notice the database download step.

Tim Messing for numerous improvements to security and ease of use.

Sam Stepanyan for all your insights and the opportunity to present the tool at OWASP London.

And many, many more friends and colleagues for the constant motivation, bug reports, testing, and evangelism!