Skip to main content

Quick Start

Dep-scan can be run as a server or using cli.

tip

Recommended way to use dep-scan is via the docker container

Dep-scan cli (docker)

Run dep-scan quickly on your project and receive reports in reports directory.

cd /path/to/your/project
docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
tip

for more usage options view Usages Section

Dep-scan server (docker)

Running the following command in dep-scan repository should start dep-scan server on port 7070.

docker compose up

Dep-scan Sample Report

The entire report for java-sec-code can be downloaded here java-sec-code.html

Recommendation part of the sample report

Below are the vulnerabilities prioritized by depscan. Follow your team's        
remediation workflow to mitigate these findings.                                

                            Top Priority (UNIVERSAL)                            
╔════════════════════════════════╤════════════════╤════════════════╤═══════════╗
║ Package                        │ CVEs           │ Fix Version    │ Reachable ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ spring-boot-starter-thymeleaf… │ CVE-2019-16943 │ 2.12.7.1       │           ║
║ └── spring-boot-starter-web@1… │ CVE-2019-16942 │                │           ║
║     └── jackson-databind@2.9.8 │ CVE-2019-16335 │                │           ║
║         ⬅ CVE-2019-14439       │ CVE-2019-14540 │                │           ║
║                                │ CVE-2019-14439 │                │           ║
║                                │ CVE-2019-12086 │                │           ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ spring-boot-starter-web@1.5.1… │ CVE-2019-17563 │ 8.5.99         │           ║
║ └── spring-boot-starter-tomca… │ CVE-2019-12418 │                │           ║
║     └── tomcat-embed-core@8.5… │ CVE-2019-0221  │                │           ║
║         ⬅ CVE-2018-11784       │ CVE-2019-0199  │                │           ║
║                                │ CVE-2018-8014  │                │           ║
║                                │ CVE-2018-11784 │                │           ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ h2@1.4.199 ⬅ CVE-2022-23221    │ CVE-2022-23221 │ 2.2.220        │           ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ spring-boot-starter-web@1.5.1… │ CVE-2018-1270  │ 4.3.20.RELEASE │           ║
║ └── spring-boot-starter@1.5.1… │                │                │           ║
║     └── spring-core@4.3.6.REL… │                │                │           ║
║         ⬅ CVE-2018-1270        │                │                │           ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ log4j-core@2.9.1 ⬅             │ CVE-2021-44228 │ 2.12.4         │           ║
║ CVE-2021-44228                 │                │                │           ║
╟────────────────────────────────┼────────────────┼────────────────┼───────────╢
║ spring-boot-starter-logging@1… │ CVE-2021-42550 │ 1.2.13         │           ║
║ └── logback-classic@1.1.9      │                │                │           ║
║     └── logback-core@1.1.9 ⬅   │                │                │           ║
║         CVE-2021-42550         │                │                │           ║
╚════════════════════════════════╧════════════════╧════════════════╧═══════════╝

╭─────────────────────────────── Recommendation ───────────────────────────────╮
│ 👉 Prioritize the 16 vulnerabilities with known exploits.                    │
│ You can remediate 148 vulnerabilities by updating the packages using the fix │
│ version 👍                                                                   │
╰──────────────────────────────────────────────────────────────────────────────╯