Bug: dep-scan picking up findings from CMakeLists.txt files #330
Comments
|
That does seem to help. Thanks kindly for your prompt response, @prabhu ! |
|
@prabhu follow-up question, if you don't mind. When I run the command like this locally on my development machine (where I have cdxgen and depscan installed), I don't get any findings: When I run the same command as part of my CI process, where it is running within a container, it reports a bunch of container/OS findings. Is there any way to suppress those, since I have type set to cpp? Thanks! |
|
@gcatto No idea. Can you share the sbom generated in the CI? Or run cdxgen separately with the environment variable |
|
@prabhu is it okay if I email them to you, instead of posting here? Is your email address on https://github.com/prabhu okay to use? |
|
prabhu at appthreat dot com |
|
Sent! Hopefully the files make it through. Thank you! |
Expected Behavior
I have started using dep-scan on a number of projects across a number of languages. I noticed I was getting strange malicious findings when running it on a C++ project. From what I can tell in the documentation, etc., C++ support only mentions Conan files (e.g.,
conanfile.txt).Actual Behavior
dep-scan seems to be using
CMakeLists.txtfiles in some way as reporting on findings as a resultSteps to Reproduce
Testsub-directoryTestsub-directory, create aCMakeLists.txtfile with the following contents:Note that adding a Conan file (e.g.,
conanfile.txt) does not seem to change anything.Additional Information
I am on depscan 5.4.1
The text was updated successfully, but these errors were encountered: