Skip to main content

Migrate from depscan v5 to v6

Use this document as a reference to migrate your depscan v5 workflows to v6.

CLI arguments (BREAKING)

  • -o is now an alias for --reports-dir. This is the output directory to store the reports.
  • All threatdb related arguments and submit bom functionality are removed.
  • --cache, --sync, --no-error, --no-license-scan arguments are removed.
  • --bom-engine argument defaults to auto. In environments where the docker command is available, depscan automatically chooses a container-image–based SBOM generation. Pass --bom-engine CdxgenGenerator to force depscan to use the local cdxgen CLI.
  • --vulnerability-analyzer argument defaults to auto. Depending on the --bom-dir argument, depscan will either perform a lifecycle-based vulnerability analysis or the standard VDR analysis (similar to depscan v5).
  • By default, only PURL-based searches are performed. As a result, depscan v6 yields fewer but more accurate results compared to v5. To perform a fuzzy search by generating variations of package names, use the --fuzzy-search argument. This is recommended when the input SBOM lacks a PURL.
  • --reachables-slices-file argument is removed.

Packages/Dependencies changes

  • quart package is an optional dependency in v6. To use the server mode, do pip install owasp-depscan[all].
  • oras is an required dependency via appthreat-vulnerability-db[oras] and blint.

Build and packaging

  • dep-scan repo uses uv for building and packaging.
  • The scan command alias has been removed. Use the depscan command to invoke the CLI.

Reports

  • .vdr.json file is now correctly created in the reports directory. In v5, depscan used to create bom.json directly in the input directory when using the appsec or research profile. This workaround has been completely removed in v6.
  • BOMs created by depscan now use the new .cdx.json extension with the sbom-project_type prefix. Example: sbom-java.cdx.json, sbom-docker.cdx.json.
  • When invoked with the --bom-dir argument containing multiple BOM files or when using the new lifecycle analyzer, a single VDR file named depscan-universal.vdr.json is created under the reports directory.
  • The JSON Lines file depscan.json is no longer created.
  • PDF reports based on Rich HTML reports are no longer available. Use the browser print functionality in the HTML report to export to PDF.

Remote audit

In v6, remote audit (e.g., for the nodejs project type) is disabled by default. To include remote audit results, invoke depscan with --risk-audit or set the environment variable ENABLE_OSS_RISK=true.

Server mode

Server-related functionality has been extracted to a separate project called ds-server-lib and is now optional.

  • The /download-vdb endpoint is no longer available to remove oras as a dependency for the server lib.