illikainen / ossaudit Goto Github PK

Could be good to export data as SARIF format or another simple format like raw object export as JSON

I case of the index DB is updated (a vulnerability is fixed) the ossaudit tool uses the data from the cache and doesn't fetch new records.
To get new data I had to find and remove the cache.json file.
It would be great to have a flag --no-cache to ignore the data from cache.json or --reset-cache to rewrite the cache file.

1. create a config file named ossaudit.conf as mentioned in the README.MD
2. update
   columns = id, name, version, title
3. run
   ossaudit -c ossaudit.conf -i
4. ossaudit will not add id column to the output

options.py add_config does not work well with the config parser output. click-config-file can be used instead of add_config of option.py

I have a situation where developers have a requirements.txt file but none of the packages have a version. While this is allowed by pip, it has resulted in false positives because pip grabs the latest version, but the scan is pulling vulnerability data for the 0 version. While I am trying to get our developers to add versions, which is a much better DevSecOps practice, there really should be a way for the OssIndex scan to use the latest version for the scan as this is what pip pulls in this case. Given the recent dependency confusion attack, this and warning on no version would be huge helps.