Quick Start
Dep-scan can be run as a server or using cli.
tip
Recommended way to use dep-scan is via the docker container
Dep-scan cli (docker)
Run dep-scan quickly on your project and receive reports in reports directory.
cd /path/to/your/project
docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan depscan --src /app --reports-dir /app/reports
tip
for more usage options view Usages Section
Dep-scan server (docker)
Running the following command in dep-scan repository should start dep-scan server on port 7070.
docker compose up
Dep-scan Sample Report
The entire report for java-sec-code can be downloaded here java-sec-code
Recommendation part of the sample report
The vulnerabilities below have been prioritized by depscan. Follow your team’s remediation workflow to address these findings.
Top Priority (BOM)
╔════════════════════════════════════════════════════════════╤══════════════════╤═════════════╤══════════════════════════════════════════════════════════════════════════════╗
║ Package │ Prioritized CVEs │ Fix Version │ Next Steps ║
╟────────────────────────────────────────────────────────────┼──────────────────┼─────────────┼───────────────────────────────────────────────��───────────────────────────────╢
║ pkg:maven/org.springframework.boot/spring-boot-starter-web │ CVE-2022-22965 │ │ depscan is unable to determine a fixed version. Refer to the project’s ║
║ │ │ │ documentation and issue tracker for possible upgrade options. ║
╟────────────────────────────────────────────────────────────┼──────────────────┼─────────────┼──────────────────────────────────────────────────────────────────────────────╢
║ pkg:maven/ch.qos.logback/logback-core │ CVE-2021-42550 │ │ depscan is unable to determine a fixed version. Refer to the project’s ║
║ │ │ │ documentation and issue tracker for possible upgrade options. ║
╟────────────────────────────────────────────────────────────┼──────────────────┼─────────────┼──────────────────────────────────────────────────────────────────────────────╢
║ pkg:maven/org.apache.tomcat.embed/tomcat-embed-core │ CVE-2024-21733 │ 8.5.99 │ With 16 vulnerabilities, identify the challenges involved in updating this ║
║ │ CVE-2023-46589 │ │ package to version '8.5.99'. With potentially exploitable CVEs present, care ║
║ │ CVE-2022-42252 │ │ must be taken to manage the risks. ║
║ │ CVE-2021-25329 │ │ ║
║ │ CVE-2021-25122 │ │ ║
║ │ CVE-2020-1938 │ │ �║
║ │ CVE-2019-17563 │ │ ║
║ │ CVE-2019-12418 │ │ ║
║ │ CVE-2019-10072 │ │ ║
║ │ CVE-2019-0232 │ │ ║
║ │ CVE-2019-0221 │ │ ║
║ │ CVE-2019-0199 │ │ ║
║ │ CVE-2018-8034 │ │ ║
║ │ CVE-2018-8014 │ │ ║
║ │ CVE-2018-1336 │ │ ║
║ │ CVE-2018-11784 │ │ ║
╟────────────────────────────────────────────────────────────┼──────────────────┼─────────────┼──────────────────────────────────────────────────────────────────────────────╢
║ pkg:maven/org.springframework/spring-web │ CVE-2024-22262 │ │ Check the package’s issue tracker for available patches and workarounds. ║
║ │ CVE-2024-22259 │ │ ║
║ │ CVE-2024-22243 │ │ ║