OWASP Amass 5 First Look
With the Internet, I’ve learned that if you stop to think, you’ll miss something.
OWASP Amass has released version 5, following the long-standing version 4 that I previously reviewed in depth. Given the major version change, substantial updates were expected.
This post outlines the key differences between Amass v4 and v5, highlighting what’s new and what’s changed. In subsequent posts, I’ll examine how these updates affect practical workflows.
Key Differences at a Glance
While Amass v4 was the revolutionary pivot to the Open Asset Model (OAM), version 5 is an evolutionary step forward on that same path. In version 5:
Client/Engine split. Amass has been restructured into a launcher and client that communicate with a standalone engine. This architecture allows you to run the engine as a detached service and connect multiple clients to it—ideal for distributed scanning or collaborative environments.
The Open Asset Model (OAM) has matured enabling better discovery, manage complex relationships between asset types, and asset property filtering. The OAM and AssetDB have significant newer version with changes to data schema, caching, performance improvements.
Dependency upgrades (eg go v1.24).
New data sources and plugins and updates to the plugin architecture.
Command line modifications: removal of the db, track, and viz commands in the core amass binary. This will cause a significant disruption since many tutorials and workflows relied on these user-friendly subcommands. This functionality has evolved with the expectation that users interact with the asset database to manage, compare, and visualize data. It appears that the expectation is that users will build their own scripts and tools around the Amass database, querying it directly to extract the specific information they need for alerting, monitoring, or feeding into other security tools.
The asset-db repository does not require a user install. It is a self-contained dependency used by and compiled with the main Amass application. This may be a v4 thing but I just clued into it now. The concept of
asset-dbbeing a "built-in" component is true for both versions 4 and 5. The change was the removal of the user-facing commands that made interacting with that component easy from the Amass command line.
-
Note, Amass db was briefly pushed to a separate oam-tools repository but this repository has been removed. This has caused a lot of confusion and there seems to be lack of guidance or documentation from the team on how this is done (https://github.com/owasp-amass/amass/issues/1067). (Sidebar: you will probably say “if you don’t like the lack of documentation why don’t you contribute?”. This is a fair question. My response is that I tried and was insulted and then ghosted for my contribution. So I did the v4 series of blog posts of my contribution instead).
-
Digging into the weeds we see commits to the v5 release suggesting that oam-tools were integrated into the main Amass repository.
https://github.com/owasp-amass/amass/commit/a5d2f3534573ed755a8fd9ff1d69ca0a6ddb8370 brought the oam_tools into the repo
So what this means is that the main Amass command has integrated track, viz, and subs. But not db.
Graph database support? There is a curious commit I noticed (“a887622 updates related to neo4j”) that leads me to believe that there is support for a graph database in the data tier. Of course there is little documentation around it that I can find. A search for Neo4j in the code based finds references in the config.yaml, graph.go, go.mod, and session.go. The graph.go file has a history starting in November of 2024. It has bounced around from the now removed oam-tools repository into the main amass repository and in there from utils to engine components. So perhaps not specifically a v5 thing but its role in the engine and asset-db seems to have solidified somewhat.
Documentation confusion remains.
Thoughts for a v5 Install
Like a lot of open source projects OWASP Amass has documentation issues. Moving and removing commands leaves users grasping for a path forward and that path is missing. Older and out of date information cluttered with updated documentation causes a lot of confusion and frustration. This does not serve for what is otherwise an amazing project.
My plan moving forward is to use a Neo4j data tier in a clear fresh install. My experiences will be in subsequent blogs.
