owasp-dep-scan · prabhu · Sep 22, 2023 · Sep 22, 2023
diff --git a/.github/workflows/dockertests.yml b/.github/workflows/dockertests.yml
@@ -7,10 +7,10 @@ on:
       - feature/*
     paths-ignore:
       - '**/README.md'
-
+  pull_request:
 jobs:
   version_tests:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest]
@@ -27,25 +27,16 @@ jobs:
       run: |
         python3 -m pip install --upgrade pip
         python3 -m pip install .[dev]
-        sudo npm install -g @cyclonedx/cdxgen
+        npm install -g @cyclonedx/cdxgen
         mkdir -p repotests
     - name: Test container images
       run: |
-        wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
-        mv cyclonedx-linux-x64 cyclonedx
-        chmod +x cyclonedx
         mkdir -p containertests
         rm -rf $VDB_HOME && mkdir -p $VDB_HOME
         pip install -r contrib/requirements.txt
-        # python3 depscan/cli.py --cache --no-error --src ghcr.io/owasp-dep-scan/dep-scan -o containertests/depscan-scan.json -t docker
-        # python contrib/vex-validate.py --json containertests/sbom-scan-docker.vex.json
-        # rm -rf $VDB_HOME && mkdir -p $VDB_HOME
-        python3 depscan/cli.py --cache --no-error --src shiftleft/scan-slim -o containertests/depscan-slim.json -t docker,license --no-vuln-table
-        python contrib/vex-validate.py --json containertests/sbom-slim-docker.vex.json
-        rm -rf $VDB_HOME && mkdir -p $VDB_HOME
-        python3 depscan/cli.py --cache --no-error --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker --no-vuln-table
-        python contrib/vex-validate.py --json containertests/sbom-redmine-docker.vex.json
-        ls -ltr containertests
+        # python3 depscan/cli.py --no-banner --cache --no-error --src ghcr.io/owasp-dep-scan/dep-scan -o containertests/depscan-scan.json -t docker
+        python3 depscan/cli.py --no-banner --cache --no-error --src shiftleft/scan-slim -o containertests/depscan-slim.json -t docker,license --no-vuln-table
+        python3 depscan/cli.py --no-banner --no-error --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker --no-vuln-table
       env:
         PYTHONPATH: "."
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +46,7 @@ jobs:
         name: containertests
         path: containertests
   version_tests2:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -72,15 +63,14 @@ jobs:
       run: |
         python3 -m pip install --upgrade pip
         python3 -m pip install .[dev]
-        sudo npm install -g @cyclonedx/cdxgen
+        npm install -g @cyclonedx/cdxgen
         mkdir -p repotests
     - name: Test container images
       run: |
         mkdir -p containertests
         pip install -r contrib/requirements.txt
-        python3 depscan/cli.py --no-error --src rocket.chat@sha256:379f7afa0e67497c363ac9a9b3e7e6a6d31deee228233307c987e4a0c68b28e6 -o containertests/depscan-rocket.json --no-vuln-table
-        python3 depscan/cli.py --no-error --src ./test/data/bom-yaml-manifest.json -o containertests/depscan-yaml.json --no-vuln-table
-        ls -ltr containertests
+        python3 depscan/cli.py --no-banner --no-error --src rocket.chat@sha256:379f7afa0e67497c363ac9a9b3e7e6a6d31deee228233307c987e4a0c68b28e6 -o containertests/depscan-rocket.json --no-vuln-table
+        python3 depscan/cli.py --no-banner --no-error --src ./test/data/bom-yaml-manifest.json -o containertests/depscan-yaml.json --no-vuln-table
       env:
         PYTHONPATH: "."
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/gobintests.yml b/.github/workflows/gobintests.yml
@@ -6,7 +6,7 @@ on:
       - master
     paths-ignore:
       - '**/README.md'
-
+  pull_request:
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -42,7 +42,6 @@ jobs:
         python3 depscan/cli.py --no-error --src gobintests/terraform -o gobintests/depscan-terraform.json -t go
         python3 depscan/cli.py --no-error --src gobintests/consul -o gobintests/depscan-consul.json -t go
         python3 depscan/cli.py --no-error --src gobintests/minikube-linux-amd64 -o gobintests/depscan-minikube.json -t go
-        ls -ltr gobintests
       env:
         PYTHONPATH: "."
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/pythonapp.yml b/.github/workflows/pythonapp.yml
@@ -4,10 +4,10 @@ on:
   push:
     paths-ignore:
       - '**/README.md'
-
+  pull_request:
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -31,8 +31,3 @@ jobs:
     - name: Test with pytest
       run: |
         pytest --cov=depscan test
-    - uses: AppThreat/dep-scan-action@master
-      env:
-        VDB_HOME: ${{ github.workspace }}/db
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      continue-on-error: true
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ LABEL maintainer="AppThreat" \
       org.opencontainers.image.authors="Team AppThreat <cloud@appthreat.com>" \
       org.opencontainers.image.source="https://github.com/appthreat/dep-scan" \
       org.opencontainers.image.url="https://appthreat.io" \
-      org.opencontainers.image.version="4.1.2" \
+      org.opencontainers.image.version="4.2.9" \
       org.opencontainers.image.vendor="appthreat" \
       org.opencontainers.image.licenses="MIT" \
       org.opencontainers.image.title="dep-scan" \

diff --git a/depscan/cli.py b/depscan/cli.py
@@ -745,9 +745,13 @@ def main():
         if os.environ.get("GITHUB_TOKEN"):
             sources_list.insert(0, GitHubSource())
         if run_cacher:
+            LOG.debug(
+                "About to download vdb from %s. This might take a while ...",
+                vdb_database_url,
+            )
             oras_client = oras.client.OrasClient()
             paths_list = oras_client.pull(target=vdb_database_url, outdir=data_dir)
-            LOG.debug(f"VDB data is stored at: {paths_list}")
+            LOG.debug("VDB data is stored at: %s", paths_list)
             run_cacher = False
         elif args.sync:
             for s in sources_list:

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "owasp-depscan"
-version = "4.2.8"
+version = "4.2.9"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},