-
DependencyCheck
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
fossa-action
The action sets up and caches the latest release of fossa-cli, infer the correct configuration from the current system state, analyze the project for a list of its dependencies, and upload the results to FOSSA.
OWASP DependencyCheck - a really decent tool for scanning your project for vulnerable dependencies. It is actively developed and updated and up to date with the most latest vulnerabilities. Sometimes it can be a pain in the ass, though. Some security researchers and such find a vulnerability, publish it and the next day our CI/CD pipelines fail (the dependency check build step prevents the code from going to production). And not always there is a fix available. So, some vulnerabilities have to be ignored, temporarily. Also, to be able to ignore a vulnerability one has to do a fast risk assessment. And that will require from him to read about the vulnerability and decide if it is safe to be ignored or some different workaround must be found.
Trivy scan - I have a bit mixed feelings with that. It scans more stuff than OWASP DependencyCheck: Docker images, filesystem, VM, Kubernetes, etc. So in a way it is also very good. But then again, some of the vulnerabilities it finds is very difficult to fix. If not possible. Let's say it finds a vulnerability inside Gradle itself or inside Maven itself. These are tools that regular developers are not maintaining. Only the developers who actually develop Gradle/Maven itself and improve it, they can fix it. Or some pull requests on their projects. But you'll never know when your pull request gets accepted. Also as it finds vulnerabilities from unorthodox places like filesystem, Docker images, VM image, then it can be difficult for a common software developer to fix it. Sure, there are fixes and workarounds but these are not straightforward.
FOSSA scan - it is different from OWASP DependencyCheck and from Trivy scan. It is checking code for supply chain attacks on dependencies and for for license violations. For example, let's say, your project is using DependaBot tool for automatically upgrading dependencies. And you are using, I don't know, Gradle v7.6 (currently the latest version). A malicious person takes the source code of Gradle v7.6, adds some malicious stuff in it and publishes it in Maven Repository with version 7.7 . Don't know about DependaBot but some tools for sure will try to upgrade your 7.6 to 7.7 then. And often these upgrades are automated. If all the tests pass, end-to-end functionality tests pass, deployment passes, then the upgrade goes through. AND a vulnerability can be introduced to your system. FOSSA scan is for checking if the dependency supply chain is legitimate or fake. A downside is that a full scan will take many hours. So one of our teams is just testing it out, right now. It is not feasible to put a 4 hour blocker in our build pipelines. But with fast releases a vulnerability can be introduced already into the system.