Giters

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

Home Page:https://discord.gg/DCNxzaeUpd

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Consider allowing users to bring their own CycloneDX SBOM files

erichs opened this issue · comments

commented

There are a couple of cases where this can be helpful:

  1. for whatever reason, a CycloneDX-compatible BOM file is already being generated with one of these tools
  2. the underlying cdxgen cannot be made to work with the repo at hand

It would be really great to pass a path to a BOM.xml or BOM.json file via args or .sastscanrc, and have it skip the bomgen step for that run.

commented

When cdxgen throws, only an empty-scan-report.sarif file is generated.

commented

@erichs This is an interesting idea. dep-scan already supports scanning based on an existing bom file - https://github.com/AppThreat/dep-scan/blob/master/depscan/cli.py#L95

So a .sastscanrc file like below would work assuming a bom.json exists in src directory.

{
  "depscan": [
        "/usr/local/bin/depscan",
        "--no-banner",
        "--suggest",
        "--src",
        "%(src)s",
        "--bom",
        "%(src)s/bom.json",
        "--report_file",
        "%(report_fname_prefix)s.json"
    ]
}
commented

Wow, I missed that. Perfect. Thanks also for the .sastscanrc example!