dependency scanning

[mdhenning]

I have a new requirement to perform security scanning on all package dependencies for my application. We recently converted to vcpkg dependency management.

I expected to find all the installed source code in the buildtrees folder, and some are there, however, it does not appear that every package leaves its sources around. I can see how keeping the vcpkg directory relatively uncluttered is a good design choice.

Is there an option that I'm not finding in the documentation to leave the source trees around so that I can automate running in-depth static scans? My security office wants it done frequently so automation is vital.

I'm also trying to decide the best way to publish "corrections." In some cases there is guard code that negates a "vulnerability" that the scanner doesn't understand, but there are legitimate edge cases that I will have to patch which may not be appreciated by the package's maintainers. especially when fixes will require preprocessor directives to handle cases where Microsoft and gcc corrections would differ.

[Osyotr]

You can get sources of all dependencies by running vcpkg as you would to install your dependencies, but with --only-downloads flag.

[wilyle]

Is there a way to automate this scanning? For example, with a tool like Trivy (which doesn't currently support VCPKG)? I'm working on a project which pulls in 120 different components as dependencies with VCPKG, and going through each one of these manually looking for vulnerabilities is a huge time sink.

Running vcpkg install --only-downloads helps with inventorying the dependencies, but that isn't the problem here, it's determining whether there are vulnerabilities without having to go through that list one by one and look up the package name in a CVE database