-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
建议增加DependencyCheck功能 #283
Comments
DependencyCheck 和 anchore/grype 、 anchore/syft 在 HummerRisk v0.3.0 之前的版本都有应用过,后面因为跟trivy 功能高度重合,就去掉了。DependencyCheck 主要可以直接检测软件源码包。 |
trivy不会检查依赖,只检查当前项目代码,DependencyCheck只检查依赖,不检查项目代码,正好互补 |
trivy repo也是检查依赖的,例如pom.xml,跟trivy fs 单独文件是一个效果。所以跟DependencyCheck 功能重复了。而且DependencyCheck 的准确率太低了,跟trivy 没法比。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HummerRisk 版本
0.9.0
你希望我们怎样改进?
建议增加 DependencyCheck 功能,
trivy repo
检查的是当前项目代码本身漏洞,往往最关键重要的是依赖漏洞,两者的结合才是全面的漏洞检测.你的思路建议是什么?
经过验证,DependencyCheck本身需求的漏洞库参数(cveUrlBase,cveUrlModified,retireJsUrl)都可以自定义指定,或者直接利用本项目的mysql 存储和更新漏洞库,即支持离线模式。
The text was updated successfully, but these errors were encountered: