codeaudit 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.0.0"
+__version__ = "1.1.0"

codeaudit/api_interfaces.py

@@ -0,0 +1,209 @@
+"""
+License GPLv3 or higher.
+
+(C) 2025 Created by Maikel Mardjan - https://nocomplexity.com/
+
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+
+
+Public API functions for Python Code Audit aka codeaudit on pypi.org
+"""
+
+from codeaudit import __version__
+from codeaudit.filehelpfunctions import get_filename_from_path , collect_python_source_files 
+from codeaudit.security_checks import perform_validations , ast_security_checks
+from codeaudit.totals import overview_per_file , get_statistics , overview_count , total_modules
+from codeaudit.checkmodules import get_all_modules , get_imported_modules_by_file , get_standard_library_modules , check_module_vulnerability
+
+
+from pathlib import Path
+import json
+import datetime 
+import pandas as pd
+import platform
+
+def version():
+    """Returns the version of Python Code Audit"""
+    ca_version = __version__
+    return {"name" : "Python_Code_Audit",
+             "version" : ca_version}
+
+
+def filescan(input_path):
+    """Scans a Python file or directory and returns result as JSON"""    
+    output ={}
+    file_output = {}
+    file_path = Path(input_path)
+    ca_version_info = version()
+    now = datetime.datetime.now()
+    timestamp_str = now.strftime("%Y-%m-%d %H:%M")
+    output = ca_version_info | {"generated_on" : timestamp_str}    
+    # Check if the input is a valid directory or a single valid Python file
+    if file_path.is_dir():
+        files_to_check = collect_python_source_files(input_path)        
+        if len(files_to_check) > 1:
+            modules_discovered = get_all_modules(input_path) #all modules for the package aka directory
+            name_of_package = get_filename_from_path(input_path)
+            package_overview = get_overview(input_path)
+            output |= {"package_name" : name_of_package ,
+                    "statistics_overview" : package_overview ,
+                    "module_overview" : modules_discovered }        
+            for i,file in enumerate(files_to_check):            
+                file_information = overview_per_file(file)
+                module_information = get_modules(file) # modules per file            
+                scan_output = codeaudit_scan(file)
+                file_output[i] = file_information | module_information | scan_output
+            output |= { "file_security_info" : file_output}
+            return output
+        else:
+            output_msg = f'Directory path {input_path} contains no Python files.'
+            return {"Error" : output_msg}
+    elif file_path.suffix.lower() == ".py" and file_path.is_file():        
+        #do a file check                        
+        file_information = overview_per_file(input_path) 
+        module_information = get_modules(input_path) # modules per file
+        scan_output = codeaudit_scan(input_path)                
+        file_output[0] = file_information | module_information | scan_output #there is only 1 file , so index 0 equals as for package to make functionality that use the output that works on the dict or json can equal for a package or a single file!
+        output |= { "file_security_info" : file_output}
+        return output
+    else:
+        #Its not a directory nor a valid Python file:
+        return {"Error" : "File is not a *.py file, does not exist or is not a valid directory path towards a Python package."}
+
+def codeaudit_scan(filename):
+    """Function to do a SAST scan on a single file"""
+    #get the file name
+    name_of_file = get_filename_from_path(filename)
+    sast_data = perform_validations(filename)
+    sast_data_results = sast_data["result"]    
+    sast_result = dict(sorted(sast_data_results.items()))
+    output = { "file_name" : name_of_file ,
+              "sast_result": sast_result}    
+    return output
+
+def save_to_json(sast_result, filename="codeaudit_output.json"):
+    """
+    Save a SAST result (dict or serializable object) to a JSON file.
+
+    Args:
+        sast_result (dict or list): The data to be saved as JSON.
+        filename (str, optional): The file path to save the JSON data.
+            Defaults to "codeaudit_output.json".
+
+    Returns:
+        Path: The absolute path of the saved file, or None if saving failed.
+    """
+    filepath = Path(filename).expanduser().resolve()
+
+    try:
+        filepath.parent.mkdir(parents=True, exist_ok=True)  # ensure directory exists
+        with filepath.open("w", encoding="utf-8") as f:
+            json.dump(sast_result, f, indent=2, ensure_ascii=False)
+        return
+    except (TypeError, ValueError) as e:
+        print(f"[Error] Failed to serialize data to JSON: {e}")
+    except OSError as e:
+        print(f"[Error] Failed to write file '{filepath}': {e}")
+
+def get_modules(filename):
+    """Gets modules of a Python file """
+    modules_found = get_imported_modules_by_file(filename)
+    return modules_found
+
+def get_overview(input_path):
+    """Retrieves the security relevant statistics of a Python package(directory) or of a single Python 
+
+    Based on the input path, call the overview function and return the result in a dict
+
+    Args:
+        input_path: Directory path of the package to use
+        
+
+    Returns:
+        dict: Returns the overview statistics in DICT format
+    """
+    file_path = Path(input_path)
+    if file_path.is_dir():
+        files_to_check = collect_python_source_files(input_path)        
+        if len(files_to_check) > 1:
+            statistics = get_statistics(input_path)
+            modules = total_modules(input_path)
+            df = pd.DataFrame(statistics) 
+            df['Std-Modules'] = modules['Std-Modules'] #Needed for the correct overall count
+            df['External-Modules'] = modules['External-Modules'] #Needed for the correct overall count
+            overview_df = overview_count(df) #create the overview Dataframe
+            dict_overview = overview_df.to_dict(orient="records")[0] #The overview Dataframe has only one row
+            return dict_overview
+        else:
+            output_msg = f'Directory path {input_path} contains no Python files.'
+            return {"Error" : output_msg}
+    elif file_path.suffix.lower() == ".py" and file_path.is_file():
+        security_statistics = overview_per_file(input_path)
+        return security_statistics
+    else:
+        #Its not a directory nor a valid Python file:
+        return {"Error" : "File is not a *.py file, does not exist or is not a valid directory path to a Python package."}
+
+def get_default_validations():
+    """Retrieves the implemented default security validations
+    Args:
+        none
+
+    Returns:
+        dict: Overview of implemented security SAST validation on Standard Python modules
+    """    
+    df = ast_security_checks()
+    result = df.to_dict(orient="records")    
+    output = generation_info() | {"validations" : result}
+    return output
+
+def generation_info():
+    """Internal function to retrieve generation info for APIs output"""
+    ca_version_info = version()    
+    now = datetime.datetime.now()
+    timestamp_str = now.strftime("%Y-%m-%d %H:%M")
+    output = ca_version_info | {"generated_on" : timestamp_str}
+    return output
+
+def platform_info():
+    """Get platform info
+    Args:
+        none
+
+    Returns:
+        dict: Overview of implemented security SAST validation on Standard Python modules       
+    """
+    python_version = platform.python_version()
+    platform_implementation = platform.python_implementation()
+    output = { "python_version" : python_version ,
+              "python_implementation" : platform_implementation}
+    return output
+
+
+def get_psl_modules():
+    """Retrieves a list of  collection of Python modules that are part of a Python distribution aka standard installation
+    
+    Returns:
+        dict: Overview of PSL modules in the Python version used.
+    
+    """
+    psl_modules = get_standard_library_modules()
+    output = generation_info() | platform_info() | { "psl_modules" : psl_modules}
+    return output
+
+def get_module_vulnerability_info(module):
+    """Retrieves vulnerability information for external modules using the OSV Database
+    Args:
+        input: module name
+    
+    Returns:
+        dict: Result of OSV query 
+    """
+    vuln_info = check_module_vulnerability(module)
+    key_string = f'{module}_vulnerability_info'
+    output = generation_info() | { key_string : vuln_info}
+    return output

codeaudit/checkmodules.py

@@ -66,7 +66,14 @@ def get_standard_library_modules():
 
 
 def query_osv(package_name, ecosystem="PyPI"):
-    """MVP version to check imported module on vulnerabilities on osv db"""
+    """Query the OSV DB (Open Source Vulnerabilities) API for a given package.
+    Args:
+        package_name (str): The name of the package to check.
+        ecosystem (str, optional): The package ecosystem (default: "PyPI").
+
+    Returns:
+        dict: The parsed JSON response from the OSV API, or an error response.
+    """
     url = "https://api.osv.dev/v1/query"
     headers = {"Content-Type": "application/json"}
     data = {
@@ -81,23 +88,34 @@ def query_osv(package_name, ecosystem="PyPI"):
     with urllib.request.urlopen(request) as response:
         return json.loads(response.read().decode("utf-8"))
 
+def extract_vulnerability_info(data):
+    """
+    Extract vulnerability details from OSV response data.
 
-def extract_vuln_info(data):
+    Args:
+        data (dict): The JSON response from the OSV API.
+
+    Returns:
+        list: A list of vulnerability summaries containing ID, details, and aliases.
+    """
     results = []
     for vuln in data.get("vulns", []):
-        info = {
-            "id": vuln.get("id"),
-            "details": vuln.get("details"),
-            "aliases": vuln.get("aliases", []),
-        }
-        results.append(info)
+        results.append(
+            {
+                "id": vuln.get("id"),
+                "summary": vuln.get("summary", ""),
+                "details": vuln.get("details", ""),
+                "aliases": vuln.get("aliases", []),
+                "severity": vuln.get("severity", []),  # CVSS scores if available               
+            }
+        )
     return results
 
 
-def check_module_on_vuln(module):
+def check_module_vulnerability(module):
     """Retrieves vuln info for external modules using osv-db"""
     result = query_osv(module)
-    vulnerability_info = extract_vuln_info(result)
+    vulnerability_info = extract_vulnerability_info(result)
     return vulnerability_info
 
 

codeaudit/codeaudit.py

@@ -15,7 +15,7 @@ CLI functions for codeaudit
 import fire  # for working CLI with this PoC-thing (The Google way)
 import sys
 from codeaudit import __version__
-from codeaudit.reporting import overview_report ,report_module_information ,file_scan_report , directory_scan_report , report_implemented_tests
+from codeaudit.reporting import overview_report ,report_module_information , scan_report , report_implemented_tests
 
 codeaudit_ascii_art=r"""
 ----------------------------------------------------
@@ -39,8 +39,8 @@ def display_help():
     print('Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] \n')
     print('Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.\n')
     print('Commands:')
-    commands = ["overview", "directoryscan", "filescan", "modulescan",  "checks","version"]  # commands on CLI
-    functions = [overview_report, directory_scan_report, file_scan_report, report_module_information, report_implemented_tests,display_version]  # Related functions relevant for help
+    commands = ["overview", "filescan", "modulescan",  "checks","version"]  # commands on CLI
+    functions = [overview_report, scan_report, report_module_information, report_implemented_tests,display_version]  # Related functions relevant for help
     for command, function in zip(commands, functions):
         docstring = function.__doc__.strip().split('\n')[0] or ""  
         summary = docstring.split("\n", 1)[0]
@@ -60,8 +60,7 @@ def main():
             {
                 "overview": overview_report,               
                 "modulescan": report_module_information,
-                "filescan" : file_scan_report,
-                "directoryscan" : directory_scan_report,
+                "filescan" : scan_report,                
                 "checks" : report_implemented_tests,
                 "version" : display_version,
                 "-help": display_help,

codeaudit/data/sastchecks.csv

@@ -1,71 +1,71 @@
 name,construct,severity,info
-Check on assert,assert,Low,Assertions are for debugging and development. Misuse can lead to security vulnerabilities.
-Binding All Interfaces,s.bind,Medium,Network sockets require additional measurements.
-Check for chmod,os.chmod,High,Operating System calls can have a  security impact and should be inspected in detail.
-Directory Creation,os.makedirs,Low,Operating System calls can have a  security impact and should be inspected in detail.
-Directory Creation,os.mkdir,Low,Operating System calls can have a  security impact and should be inspected in detail.
-Directory Creation,os.mkfifo,Low,Operating System calls can have a  security impact and should be inspected in detail.
-Directory Creation,os.mknod,Low,Operating System calls can have a  security impact and should be inspected in detail.
-Directory Creation,os.makedev,Low,Operating System calls can have a  security impact and should be inspected in detail.
-OS System call - Fork a child process,os.fork,Low,"On macOS use of this function is unsafe when mixed with using higher-level system APIs, and that includes using urllib.request."
-Check on eval usage,eval,High,This function can executes arbitrary code.
-Check on input statement,input,Low,Use of input requires strict sanitizing and validation.
-Exception Handling,pass,Low,Too broad exception handling risk when not used correctly.
-Exception Handling- Continue statement,continue,Low,Too broad exception handling risk when not used correctly.
-Built-in Functions: Check for exec usage.,exec,High,This built-in function can execute code you do not want. Check and refuse using dynamic contructs within exec you can not validate upfront.
-Built-in Functions: Check on compile usage.,compile,High,It is possible to crash the Python interpreter when using this function.
-Use of dynamic Imports,__import__,Medium,"Validate the what is imported and only allow of known, safe modules."
-Use of dynamic Imports,importlib.import_module,Medium,"Validate the what is imported and only allow of known, safe modules."
-Hash Check - md5,hashlib.md5,High,Use of insecure hashing algorithms detected.
-Hash Check -sha1,hashlib.sha1,High,Use of insecure hashing algorithms detected.
-Logging - configuration ,logging.config,Low,Potential security issues can arise with parsing objects and incorrect sanitizing.
-Pickle use,pickle.loads,High,unpickling will import any class or function that it finds in the pickle data
-Pickle use,pickle.load,High,unpickling will import any class or function that it finds in the pickle data
-OS  - direct calls,os.system,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execl,os.execl,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execle,os.execle,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execlp,os.execlp,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execlpe,os.execlpe,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execv,os.execv,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execve,os.execve,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execvp,os.execvp,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - execvpe,os.execvpe,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS  - popen,os.popen,High,Operating System calls can have a  security impact and should be inspected in detail.
-Sys calls,sys.call_tracing,Medium,Sys functions that can give ow-level access to the interpreter's execution flow.
-Sys calls,sys.setprofile,Medium,Sys functions that can give ow-level access to the interpreter's execution flow.
-Sys calls,sys.settrace,Medium,Sys functions that can give ow-level access to the interpreter's execution flow.
-OS Access,os.access,High,Operating System calls can have a  security impact and should be inspected in detail.
-OS Interfaces,os.write,Low,os.write can cause availability issues if not done correct.
-OS Interfaces,os.writev,Low,os.writev can cause availability issues if not done correct.
+Assertions,assert,Low,Assertions are for debugging and development. Assertions can be disabled during runtime. Use in production can introduce vulnerabilities.
+Insecure Network Binding,s.bind,Medium,Binding to all interfaces can expose the service to a wider network attack surface.
+OS File Permissions,os.chmod,High,Changing permissions carelessly can expose sensitive files.
+Directory Creation,os.makedirs,Low,Direct file system calls require careful input validation to prevent vulnerabilities.
+Directory Creation,os.mkdir,Low,Direct file system calls require careful input validation to prevent vulnerabilities.
+Directory Creation,os.mkfifo,Low,Direct file system calls require careful input validation to prevent vulnerabilities.
+Directory Creation,os.mknod,Low,Direct file system calls require careful input validation to prevent vulnerabilities.
+Directory Creation,os.makedev,Low,Direct file system calls require careful input validation to prevent vulnerabilities.
+OS Forking,os.fork,Low,"On macOS use of this function is unsafe when mixed with using higher-level system APIs, and that includes using urllib.request."
+Dangerous Built-in: eval,eval,High,This function can execute arbitrary code. Never safe with untrusted input.
+Input Function,input,Low,User input must be strictly sanitized and validated to prevent injection vulnerabilities.
+Overly Broad Exception Handling,pass,Low,Using `pass` in an `except` block can silently ignore critical security exceptions.
+Overly Broad Exception Handling,continue,Low,Skipping over exceptions can mask critical errors and security risks.
+Dangerous Built-in: exec,exec,High,This function can execute arbitrary code and should be used only with validated constructs.
+Dangerous Built-in: compile,compile,High,This function can be used to execute arbitrary code or crash the Python interpreter.
+Dynamic Imports,__import__,Medium,"Importing modules dynamically can load untrusted code."
+Dynamic Imports,importlib.import_module,Medium,"Importing modules dynamically can load untrusted code."
+Insecure Hashing Algorithm,hashlib.md5,High,MD5 is cryptographically broken and should not be used for security purposes.
+Insecure Hashing Algorithm,hashlib.sha1,High,SHA-1 is cryptographically broken and should not be used for security purposes.
+Logging Configuration,logging.config,Medium,Parsing untrusted logging configurations can lead to vulnerabilities if not handled correctly.
+Pickle Usage,pickle.loads,High,Deserializing untrusted data with `pickle` can lead to arbitrary code execution.
+Pickle Usage,pickle.load,High,Deserializing untrusted data with `pickle` can lead to arbitrary code execution.
+OS Execution,os.system,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execl,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execle,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execlp,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execlpe,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execv,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execve,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execvp,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.execvpe,High,Direct OS function calls can have significant security implications and require careful review.
+OS Execution,os.popen,High,Direct OS function calls can have significant security implications and require careful review.
+Sys Calls,sys.call_tracing,Medium,Provides low-level access to interpreter execution; dangerous if exposed.
+Sys Calls,sys.setprofile,Medium,Provides low-level access to interpreter execution; dangerous if exposed.
+Sys Calls,sys.settrace,Medium,Provides low-level access to interpreter execution; dangerous if exposed.
+OS Access,os.access,High,Direct OS function calls can have significant security implications and require careful review.
+OS File Operations,os.write,Low,Reading from unvalidated file descriptors can lead to information disclosure.
+OS File Operations,os.writev,Low,Reading from unvalidated file descriptors can lead to information disclosure.
 OS Interfaces,os.forkpty,Low,Use of forkpty can be unsafe when used on MacOS.
-OS Interface,os.read,Low,"When files can be read from , they can be transfered to some place you do not want."
-tempfile ,tempfile.mktemp,Low,This function may introduce race conditions which could negatively impact security.
-Marshal,marshal.loads,High,The marshal module is not intended to be secure against erroneous or maliciously constructed data. 
-Marshal,marshal.load,High,The marshal module is not intended to be secure against erroneous or maliciously constructed data. 
-Subprocesses - call,subprocess.call,High,Use of the subprocess module calls should be analyzed in-depth.
-Subprocesses - check_call,subprocess.check_call,High,Use of the subprocess module calls should be analyzed in-depth.
-Subprocesses - Popen,subprocess.Popen,Medium,Use of the subprocess module calls should be analyzed in-depth.
-Subprocesses - run,subprocess.run,Medium,Use of the subprocess module calls should be analyzed in-depth.
-Tarfile,tarfile.TarFile,High,Extracting files within a program should never be trusted by default. This issue is detected when the zipfile and/or tarfile module with an extraction method is used.
-Encodings,base64,Low,"Base encoding visually hides otherwise easily recognized information such as passwords, but does not provide any computational confidentiality."
-XML - client,xmlrpc.client,High,xmlrpc is vulnerable to the “decompression bomb” attack.
-XML - server,xmlrpc.server.SimpleXMLRPCServer,High,xmlrpc.server is vulnerable to the “decompression bomb” attack.
-Random numbers generation module,random.random,Low,The pseudo-random generators of this module should not be used for security purposes.
-Random numbers generation module,random.seed,Low,The pseudo-random generators of this module should not be used for security purposes.
-Shelve module,shelve.open,High,Only loading a shelve from a trusted source is secure. So check if this is the case.
-Multiprocessing ,connection.recv,High,Connection.recv() uses pickle
-Multiprocessing ,multiprocessing.connection.Connection,High,Connection.recv() uses pickle
-Zipfile,zipfile.ZipFile,High,Extracting files within a program should never be trusted by default. This issue is detected when the zipfile and/or tarfile module with an extraction method is used.
-Gzip,gzip.open,Medium,Potential resource consumption if the file is untrusted.
-bz2 use,bz2.open,Medium,Potential resource consumption if bz2 compressed file is untrusted.
-bz2 class use,bz2.BZ2File,Medium,Potential risk with bz2 class when decompressing data from untrusted or unknown source. 
-lzma use,lzma.open,Medium,Potential risk with lzma when decompressing data from untrusted or unknown source. 
-lzma class use,lzma.LZMAFile,Medium,Potential risk with lzma class when decompressing data from untrusted or unknown source. 
-shutil,shutil.unpack_archive,Medium,Extracting files within a program should not be trusted by default.
-shutil,shutil.copy,Medium,Information can be transfered without permission.
-shutil,shutil.copy2,Medium,Information can be transfered without permission.
-shutil,shutil.copytree,Medium,Information can be transfered without permission.
-shutil,shutil.chown,Medium,Programs should not change access rights on files they do not own.
-shutil,shutil.rmtree,Medium,Risk on path traversal attack.
-HTTP servers: Check on usage.,http.server.BaseHTTPRequestHandler,High,Insecure for production use.
-HTTP servers: Check on usage.,http.server.HTTPServer,High,Insecure for production use.
+OS File Operations,os.read,Low,"Reading from unvalidated file descriptors can lead to information disclosure."
+Tempfile,tempfile.mktemp,Low,This function is deprecated because of race conditions that can lead to security vulnerabilities.
+Marshal Usage,marshal.loads,High,This module is not secure and should not be used to deserialize data from untrusted sources.
+Marshal Usage,marshal.load,High,This module is not secure and should not be used to deserialize data from untrusted sources.
+Subprocess Usage,subprocess.call,High,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.check_call,High,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.Popen,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.run,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Tarfile Extraction,tarfile.TarFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Base64 Encoding ,base64,Low,"Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code."
+XML-RPC Client,xmlrpc.client,High,Vulnerable to denial-of-service via decompression bombs.
+XML-RPC Server,xmlrpc.server.SimpleXMLRPCServer,High,Vulnerable to denial-of-service via decompression bombs.
+Cryptographically Unsafe Randomness,random.random,Low,The pseudo-random generators in this module are not suitable for security purposes. 
+Cryptographically Unsafe Randomness,random.seed,Low,The pseudo-random generators in this module are not suitable for security purposes. 
+Shelve Usage,shelve.open,High,"The `shelve` module uses `pickle` internally, making it unsafe for untrusted data."
+Unsafe Deserialization: multiprocessing,connection.recv,High,"Uses pickle, which can execute arbitrary code when receiving data. "
+Unsafe Deserialization: multiprocessing,multiprocessing.connection.Connection,High,Relies on pickle; dangerous with untrusted data. 
+Zipfile Extraction,zipfile.ZipFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Gzip File Handling,gzip.open,Medium,Risk of decompression bombs or resource exhaustion with untrusted data.
+BZ2 File Handling,bz2.open,Medium,Decompressing untrusted data can lead to resource exhaustion attacks. 
+BZ2 File Handling,bz2.BZ2File,Medium,Decompressing untrusted data can lead to resource exhaustion attacks. 
+LZMA File Handling,lzma.open,Medium,Risk of decompression bombs or resource exhaustion with untrusted data.
+LZMA File Handling,lzma.LZMAFile,Medium,Risk of decompression bombs or resource exhaustion with untrusted data.
+Shutil Extraction,shutil.unpack_archive,Medium,Untrusted archives can contain malicious paths or payloads.
+Shutil Copying,shutil.copy,Medium,Files may be copied without authorization if paths are not validated.
+Shutil Copying,shutil.copy2,Medium,Files may be copied without authorization if paths are not validated.
+Shutil Copying,shutil.copytree,Medium,Files may be copied without authorization if paths are not validated.
+Shutil Operations,shutil.chown,Medium,Changing file ownership can introduce vulnerabilities.
+Shutil Removal,shutil.rmtree,Medium,Vulnerable to path traversal attacks if not used carefully.
+HTTP Server (Base Handler),http.server.BaseHTTPRequestHandler,High,These modules are for development only and are not secure for production use.
+HTTP Server,http.server.HTTPServer,High,These modules are for development only and are not secure for production use.

codeaudit/filehelpfunctions.py

@@ -28,7 +28,7 @@ def read_in_source_file(file_path):
         )
         sys.exit(1)
 
-    if file_path.suffix != ".py":
+    if file_path.suffix.lower() != ".py":
         print("Error: The given file is not a Python (.py) file.")
         sys.exit(1)
 
@@ -89,9 +89,12 @@ def get_filename_from_path(file_path):
     Returns:
         str: The file name.
     """
-    return os.path.basename(file_path)
+    #return os.path.basename(file_path) 
+    return Path(file_path).name
 
 
+    
+
 def is_ast_parseable(file_path):
     """
     Checks whether a Python file can be parsed using the AST module.
@@ -111,4 +114,23 @@ def is_ast_parseable(file_path):
             ast.parse(source, filename=file_path)
         return True
     except (SyntaxError, UnicodeDecodeError, ValueError) as e:
-        return False
+        return False
+
+
+def has_python_files(input_path):
+    """
+    Check whether a directory contains at least one Python file.
+
+    Args:
+        input_path (str | Path): Path to a directory.
+
+    Returns:
+        bool: True if the directory contains at least one Python file, False otherwise.
+    """
+    file_path = Path(input_path)
+
+    if not file_path.is_dir():
+        return False
+
+    files_to_check = collect_python_source_files(file_path)
+    return len(files_to_check) > 0

codeaudit/reporting.py

@@ -15,15 +15,16 @@ Reporting functions for codeaudit
 
 import re
 import os
+from pathlib import Path
 
 import pandas as pd
 import datetime
 
 from codeaudit.security_checks import perform_validations , ast_security_checks
-from codeaudit.filehelpfunctions import get_filename_from_path , collect_python_source_files , read_in_source_file 
+from codeaudit.filehelpfunctions import get_filename_from_path , collect_python_source_files , read_in_source_file , has_python_files
 from codeaudit.altairplots import multi_bar_chart
 from codeaudit.totals import get_statistics , overview_count , overview_per_file , total_modules
-from codeaudit.checkmodules import get_imported_modules , check_module_on_vuln , get_all_modules , get_imported_modules_by_file
+from codeaudit.checkmodules import get_imported_modules , check_module_vulnerability , get_all_modules , get_imported_modules_by_file
 from codeaudit.htmlhelpfunctions import dict_to_html , json_to_html , dict_list_to_html_table
 from codeaudit import __version__
 
@@ -51,6 +52,10 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
         print(f"ERROR: '{directory}' is not a directory (maybe you try to run it for a single file)")
         print(f"This function only works for directories which contains one or more Python source code files (*.py). ")
         exit(1)
+    #Check if the directory has Python files
+    if not has_python_files(directory):
+        print(f'Error: Directory path {directory} contains no Python files.')
+        exit(1)
     result = get_statistics(directory)
     modules = total_modules(directory)    
     df = pd.DataFrame(result)
@@ -95,15 +100,16 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
     html += '<h2>Visual Overview</h2>'    
     html += extract_altair_html(plot_html)    
     create_htmlfile(html,filename)
-    
+        
+        
 
-def file_scan_report(file_to_scan , filename=DEFAULT_OUTPUT_FILE):
-    """Reports potential security issues for a single Python file.
-    
-    This function performs security validations on the specified file, 
+def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
+    """Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+        
+    This function performs security validations on the specified file or directory, 
     formats the results into an HTML report, and writes the output to an HTML file. 
     
-    You can specify the name and directory for the generated HTML report.
+    You can specify the name of the outputfile and directory for the generated HTML report. Make sure you chose the extension `.html` since the output file is a static html file.
 
     Parameters:
         file_to_scan (str)      : The full path to the Python source file to be scanned.
@@ -113,16 +119,26 @@ def file_scan_report(file_to_scan , filename=DEFAULT_OUTPUT_FILE):
     Returns:
         None - A HTML report is written as output
     """
-    scan_output = perform_validations(file_to_scan)    
-    file_report_html = single_file_report(file_to_scan , scan_output)    
-    name_of_file = get_filename_from_path(file_to_scan)
-    html = '<h1>Python Code Audit Report</h1>' #prepared to be embedded to display multiple reports, so <h2> used
-    html += f'<h2>Result of scan of file {name_of_file}</h2>'    
-    html += '<p>' + f'Location of the file: {file_to_scan} </p>'  
-    html += file_report_html    
-    html += '<br>'
-    html += DISCLAIMER_TEXT
-    create_htmlfile(html,filename)  
+      # Check if the input is a valid directory or a single valid Python file
+    file_path = Path(input_path)
+    if file_path.is_dir():
+        directory_scan_report(input_path , filename ) #create a package aka directory scan report
+    elif file_path.suffix == ".py" and file_path.is_file():        
+        #create a sast file check report
+        scan_output = perform_validations(input_path)
+        file_report_html = single_file_report(input_path , scan_output)    
+        name_of_file = get_filename_from_path(input_path)
+        html = '<h1>Python Code Audit Report</h1>' #prepared to be embedded to display multiple reports, so <h2> used
+        html += f'<h2>Result of scan of file {name_of_file}</h2>'    
+        html += '<p>' + f'Location of the file: {input_path} </p>'  
+        html += file_report_html    
+        html += '<br>'
+        html += DISCLAIMER_TEXT
+        create_htmlfile(html,filename)
+    else:
+        #Its not a directory nor a valid Python file:
+        print(f"Error: {input_path} File is not a *.py file, does not exist or {input_path} is not a valid directory path.\n")
+   
 
 def single_file_report(filename , scan_output):
     """Function to DRY for a codescan when used for single for CLI or within a directory scan"""
@@ -197,8 +213,9 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
     collection_ok_files = [] # create a collection of files with no issues found    
     html = '<h1>Python Code Audit Report</h1>'     
     files_to_check = collect_python_source_files(directory_to_scan)
-    html += '<h2>Directory scan report</h2>'     
-    html += f'<p>Below the result of the Codeaudit scan of the directory:<b> {directory_to_scan}</b></p>' 
+    html += '<h2>Directory scan report</h2>'         
+    name_of_package = get_filename_from_path(directory_to_scan)
+    html += f'<p>Below the result of the Codeaudit scan of the package or directory:<b> {name_of_package}</b></p>' 
     html += f'<p>Total Python files found: {len(files_to_check)}</p>'
     number_of_files = len(files_to_check)
     print(f'Number of files that are checked for security issues:{number_of_files}')
@@ -218,7 +235,7 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
             collection_ok_files.append({'filename' : file_name_with_no_issue ,
                                         'directory': file_to_scan})
     html += '<h2>Files in directory with no security issues</h2>'
-    html += f'<p>Total Python files with no detected security issue: {len(collection_ok_files)}</p>'
+    html += f'<p>Total Python files <b>without</b> detected security issues: {len(collection_ok_files)}</p>'
     html += '<p>The Python files with no security issues <b>detected</b> by codeaudit are:<p>'        
     html += dict_list_to_html_table(collection_ok_files)     
     html += '<br>'
@@ -228,7 +245,7 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
 
 
 def report_module_information(inputfile,reportname=DEFAULT_OUTPUT_FILE):
-    """Reports module information per file.""" 
+    """Reports module vulnerability information.""" 
     source = read_in_source_file(inputfile)
     used_modules = get_imported_modules(source)
     # Initial call to print 0% progress
@@ -243,7 +260,7 @@ def report_module_information(inputfile,reportname=DEFAULT_OUTPUT_FILE):
         html += '<h2>Vulnerability information for detected modules</h2>'    
     for i,module in enumerate(external_modules):  #sorted for nicer report
         printProgressBar(i + 1, l, prefix='Progress:', suffix='Complete', length=50)
-        vuln_info = check_module_on_vuln(module)
+        vuln_info = check_module_vulnerability(module)
         if not vuln_info:
             html += f'<h3>Vulnerability information for module <b>{module}</b></h3> '
             html += f'<li>No information found in OSV Database for module: <b>{module}</b>.</li> '

codeaudit/totals.py

@@ -131,7 +131,7 @@ def total_modules(directory):
 
 
 def overview_per_file(python_file):
-    """gets the overview per file."""
+    """gets the relevant security statistics overview per file."""
     result = {}
     source = read_in_source_file(python_file)
     name_of_file = get_filename_from_path(python_file)

{codeaudit-1.0.0.dist-info → codeaudit-1.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.0.0
+Version: 1.1.0
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -37,11 +37,14 @@ Python Code Audit - A modern Python source code analyzer based on distrust.
 
 Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy. 
 
+This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
+
 This tool is created for:
-* Users of Python programs who want to known the security risks of the used Python code. 
-* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
-* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
+* Python Users who want to assess the security risks in the Python code they use.
+* Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
+* Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.
 
+Creating secure software can be challenging. This tool, with its comprehensive [documentation](https://nocomplexity.com/documents/codeaudit/intro.html), acts as your helpful security colleague, making it easier to identify and address vulnerabilities.
 
 ## Features
 
@@ -71,7 +74,7 @@ pip install codeaudit
 
 or use:
 
-```bash
+```console
 pip install -U codeaudit
 ```
 
@@ -116,7 +119,7 @@ Check https://simplifysecurity.nocomplexity.com/
 
 ## Example
 
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **60 validations** implemented. 
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented. 
 
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.
 

codeaudit-1.1.0.dist-info/RECORD

@@ -0,0 +1,20 @@
+codeaudit/__about__.py,sha256=7IM6Rr1UeszM-VWh3mhwMMoHZMIUsUsaOUYnFtTaZgU,144
+codeaudit/__init__.py,sha256=YGs6qU0BVHPGtXCS-vfBDLO4TOfJDLTWMgaFDTmi_Iw,157
+codeaudit/altairplots.py,sha256=YFXrJxBjN44Mr2JEGad8h_KjSOYuyzt4YE8JyQr9Kj8,2183
+codeaudit/api_interfaces.py,sha256=tMyL9rBJxJhldW_Hp2fPvUlKhdDO4JBkJ3OqrKuyV6E,8898
+codeaudit/checkmodules.py,sha256=aiF34KO-9HZDRgVBtSwVFdeUxT5_Ka5VtmlfgoLgNVs,5582
+codeaudit/codeaudit.py,sha256=yQ7SHx8b3Q9rMu8nCVyyuu3wJr3DlO-BuSIz2ZwJFGM,3426
+codeaudit/complexitycheck.py,sha256=A3_a5v-U0YQr80pWQwSVvOsY_eQtqwNkQf9Txr9mNtQ,3722
+codeaudit/filehelpfunctions.py,sha256=WiVzaCkWSb6n9Y-1WOjGYcjcN9jyiLgHHAqnvQopTvk,4360
+codeaudit/htmlhelpfunctions.py,sha256=-SMsyfF7TRIfJkrUqoJuh7AoG1RVrYFsZfFljoxVHXc,3246
+codeaudit/issuevalidations.py,sha256=-WdaXT_R-P9w0JbQpJ5ngVoVhG9Yee2ri0aH5SoC1Ao,6404
+codeaudit/reporting.py,sha256=hwIZcUryqVlnzfbRKjkIVrT-HJ_7Dx3xd1nkBfn54Ts,22876
+codeaudit/security_checks.py,sha256=wEO_A054zXmLccWGREi6cNADa4IgoOPxHsq-Je5iMIY,2167
+codeaudit/simple.css,sha256=7auhDAUwjdluFIyoCskl-Vfh503prXKqftQrmo0-e_g,3565
+codeaudit/totals.py,sha256=b6OkzcMdqGKPwuGBKrwAeCxBOJxHa5FHauGWnEb-6zM,6387
+codeaudit/data/sastchecks.csv,sha256=-f0WpX9vGCcyy_i-GrEUwIMb-KhzAfoDpJwH6hDtQwo,8286
+codeaudit-1.1.0.dist-info/METADATA,sha256=_hmbLKWxbs0Rj_Mz2oTcYia8m1E_hdOJoOLXU1jYejk,7020
+codeaudit-1.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+codeaudit-1.1.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
+codeaudit-1.1.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
+codeaudit-1.1.0.dist-info/RECORD,,

codeaudit-1.0.0.dist-info/RECORD

@@ -1,19 +0,0 @@
-codeaudit/__about__.py,sha256=AYtzx9ZrNDKvd0GU8vABzU9bqhe7Wo-GYBY5FzypjPs,144
-codeaudit/__init__.py,sha256=YGs6qU0BVHPGtXCS-vfBDLO4TOfJDLTWMgaFDTmi_Iw,157
-codeaudit/altairplots.py,sha256=YFXrJxBjN44Mr2JEGad8h_KjSOYuyzt4YE8JyQr9Kj8,2183
-codeaudit/checkmodules.py,sha256=_oMbidp0iKUYF8yOieFIIiCMQ3nl6qC-OhNDnYclf0Q,4895
-codeaudit/codeaudit.py,sha256=TF9hn3B8GVUJ04aI4mGKArD62akmhhPzPLzN8A1UYhg,3545
-codeaudit/complexitycheck.py,sha256=A3_a5v-U0YQr80pWQwSVvOsY_eQtqwNkQf9Txr9mNtQ,3722
-codeaudit/filehelpfunctions.py,sha256=eM-B9JeF3Krx2vaefaqLrCAl-lrtec_fy0NbTkj7a3s,3846
-codeaudit/htmlhelpfunctions.py,sha256=-SMsyfF7TRIfJkrUqoJuh7AoG1RVrYFsZfFljoxVHXc,3246
-codeaudit/issuevalidations.py,sha256=-WdaXT_R-P9w0JbQpJ5ngVoVhG9Yee2ri0aH5SoC1Ao,6404
-codeaudit/reporting.py,sha256=-xWgpuccGYCaXVTNJSqfv2xwCdseuQD6SgDk55BrUMs,21824
-codeaudit/security_checks.py,sha256=wEO_A054zXmLccWGREi6cNADa4IgoOPxHsq-Je5iMIY,2167
-codeaudit/simple.css,sha256=7auhDAUwjdluFIyoCskl-Vfh503prXKqftQrmo0-e_g,3565
-codeaudit/totals.py,sha256=V809eImKZepsKqKMNr0lNfJ0ILf7qFjS_NrU-veVpm0,6358
-codeaudit/data/sastchecks.csv,sha256=RlyJvDdEDeuACNV-gpQFg8R0_PhikNyV6jzxbbHGu04,7828
-codeaudit-1.0.0.dist-info/METADATA,sha256=AsqTlXkkec74FsAsTClcy7Gmz45zUguzAcDxCmn4HGs,6820
-codeaudit-1.0.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-codeaudit-1.0.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
-codeaudit-1.0.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
-codeaudit-1.0.0.dist-info/RECORD,,