Software Composition Analysis (SCA) Scan
With SCA, it is possible to scan for vulnerabilities in the application dependencies. To know about supported SCA languages, refer to Appendix: Supported SCA Languages.
To disable collection of packages for certain SCA languages, use --disable-sca-languages <languages_to_disable>. The values of this flag are case-insensitive. For example, the below command will not collect Ruby, .NET, and Node.js packages from the given image.
$ ./qscanner image sentry --disable-sca-languages ruby,.net,Node.js
Java Index Database (java-db)
Java Index database is an SQlite DB that stores ArtifactID, GroupID, Version and SHA1 for JAR files. This data is created by parsing all indices from the Maven repository.
QScanner runs in Online scan mode by default. In this mode, it downloads the java-db from https://ghcr.io/v2 periodically. This database is used when scanning JAR files so that QScanner can identify the groupId, artifactId, and version of JAR files. It is automatically downloaded and updated when needed. This gets downloaded in java-db directory within the QScanner cache directory - $USER_CACHE_DIR/qualys/qscanner/ or the path specified using --cache-dir flag.
The default cache directory is /root/.cache/qualys/qscanner/.
- When using the clear-local-cache command, the entire cache directory, including the local cache database and the Java index database, will be cleared.
- Java-db will be downloaded and initialized only if the jar files are detected in an image. If the Java DB download fails, QScanner will fall back to the Offline Scan.
Supported Java DB Repositories
In addition to https://ghcr.io/v2, the following are the additional repositories where the java-db gets published.
- aws: https://public.ecr.aws/v2/
- docker: https://index.docker.io/v2/
By default, QScanner uses the https://ghcr.io/v2 link. You can override this behavior using QSCANNER_ENABLED_JAVADB_REPOS env variable.
For example, export QSCANNER_ENABLED_JAVADB_REPOS=ghcr,aws,docker
This allows QScanner to attempt to download the java-db from all the provided repositories in case of failure.
The order defined using QSCANNER_ENABLED_JAVADB_REPOS is the order in which QScanner tries the repository to download the java-db.
Offline Scan
It is possible to avoid downloading java-db and run in --offline-scan=true. Use this parameter to disable internet access for the SCA and run the scan in Offline mode instead.
It is recommended to run a scan in Online mode. The quality of software package enumeration for Java substantially degrades when the scan is run in offline mode. This can affect the accuracy of the vulnerability posture of the image.
./qscanner image maven \
--mode inventory-only \
--format json \
--offline-scan=true