codeaudit 1.0.0__tar.gz → 1.1.0__tar.gz

codeaudit-1.1.0/CHANGELOG.md

@@ -0,0 +1,44 @@
+# Change Log
+
+## Version 1.1:What's New
+
+We've released a new version with several key improvements focused on making your security workflow smoother and providing more detailed security information.
+
+* Streamlined Scanning:
+
+The separate `directoryscan` command has been removed. You can now use the versatile `filescan` command to scan both individual files and entire directories. This simplifies the command-line interface and makes the process more intuitive.
+
+* Enhanced Reporting:
+
+We've made minor corrections to the documentation and static HTML reports to improve clarity. Additionally, warning messages are now more descriptive, helping you quickly understand potential issues.
+
+* Improved Vulnerability Data:
+
+You'll now get more detailed information about module vulnerabilities. The tool now includes CVSS scores, a standard metric for rating vulnerability severity, giving you a clearer picture of the risks.
+
+* Behind-the-Scenes Fixes:
+
+We've made a more robust and reliable adjustment to how the tool retrieves file names. This ensures consistency and accuracy during scans. We've also added beta-level API functions, opening up new possibilities for integration.
+
+
+
+## Version 1.0
+
+This release represents a stabilisation of Python Code Audit!
+Main changes in relation to the pre-1.0 versions are:
+* More validations added: Python Code Audit now counts 70 security validations!
+* Documentation updates
+* Improved validation for `builtins`, like `compile`, `exec`,, `eval` that can be obfuscated in code. 
+* Various UI/UX updates. CLI text improved and HTML report text made consistent. 
+* Added test to validate correct working for now and in the future. Also validated working with other SAST tools to make sure core functionality is rock solid or better! Spoiler Python Code Audit is better than most used OSS and commercial SAST tools available today!
+
+
+## Beta Versions (Before 1.0)
+
+All published beta version are stable and verified!
+During the public beta phase input of users and experts is retrieved. 
+This resulted is mainly:
+* More validation
+* Better documentation and
+* UI/UX improvements to make sure Python Code Audit is dead simple to use for non-programmers to validate a Python package.
+

{codeaudit-1.0.0 → codeaudit-1.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.0.0
+Version: 1.1.0
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -37,11 +37,14 @@ Python Code Audit - A modern Python source code analyzer based on distrust.
 
 Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy. 
 
+This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
+
 This tool is created for:
-* Users of Python programs who want to known the security risks of the used Python code. 
-* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
-* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
+* Python Users who want to assess the security risks in the Python code they use.
+* Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
+* Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.
 
+Creating secure software can be challenging. This tool, with its comprehensive [documentation](https://nocomplexity.com/documents/codeaudit/intro.html), acts as your helpful security colleague, making it easier to identify and address vulnerabilities.
 
 ## Features
 
@@ -71,7 +74,7 @@ pip install codeaudit
 
 or use:
 
-```bash
+```console
 pip install -U codeaudit
 ```
 
@@ -116,7 +119,7 @@ Check https://simplifysecurity.nocomplexity.com/
 
 ## Example
 
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **60 validations** implemented. 
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented. 
 
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.
 

{codeaudit-1.0.0 → codeaudit-1.1.0}/README.md

@@ -11,11 +11,14 @@ Python Code Audit - A modern Python source code analyzer based on distrust.
 
 Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy. 
 
+This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
+
 This tool is created for:
-* Users of Python programs who want to known the security risks of the used Python code. 
-* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
-* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
+* Python Users who want to assess the security risks in the Python code they use.
+* Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
+* Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.
 
+Creating secure software can be challenging. This tool, with its comprehensive [documentation](https://nocomplexity.com/documents/codeaudit/intro.html), acts as your helpful security colleague, making it easier to identify and address vulnerabilities.
 
 ## Features
 
@@ -45,7 +48,7 @@ pip install codeaudit
 
 or use:
 
-```bash
+```console
 pip install -U codeaudit
 ```
 
@@ -90,7 +93,7 @@ Check https://simplifysecurity.nocomplexity.com/
 
 ## Example
 
-By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **60 validations** implemented. 
+By running the `codeaudit filescan` command, detailed security information is determined for a Python file based on more than **70 validations** implemented. 
 
 The `codeaudit filescan` command shows all **potential** security issues that are detected in the source file in a HTML-report.
 

{codeaudit-1.0.0 → codeaudit-1.1.0}/SECURITY.md

@@ -15,7 +15,6 @@ To report a security issue, please use the GitHub Security Advisory ["Report a V
 
 I will send a response indicating the next steps in handling your report. After the initial reply to your report, I will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
 
-For context on Electron's security notification process, please see the Notifications section of the Security WG's Membership and Notifications Governance document.
 
 ## Learning More About Security
 

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/CLIcommands.ipynb

@@ -13,7 +13,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 1,
+   "execution_count": 9,
    "id": "923aba22-7103-4431-8545-ee5596efa371",
    "metadata": {},
    "outputs": [],
@@ -23,7 +23,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 2,
+   "execution_count": 10,
    "id": "057c9730-7b09-49a8-82f1-bc681d880c96",
    "metadata": {},
    "outputs": [],
@@ -33,7 +33,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 3,
+   "execution_count": 11,
    "id": "67576531-b66f-42a3-b6e4-460423ca28e0",
    "metadata": {},
    "outputs": [],
@@ -44,7 +44,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 4,
+   "execution_count": 12,
    "id": "2717fe66-9e66-4fcc-ae82-0d1ba26892c4",
    "metadata": {},
    "outputs": [],
@@ -54,19 +54,19 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 5,
+   "execution_count": 13,
    "id": "3f286724-0a8f-45b2-80fe-d6d061fe440a",
    "metadata": {},
    "outputs": [],
    "source": [
     "output += '% THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!\\n'\n",
-    "output += '# Overview of Codeaudit commands\\n'\n",
-    "output += f'Codeaudit commands for: {version_id}'"
+    "output += '# Commands Overview\\n'\n",
+    "output += f'Python Code Audit commands for: {version_id}'"
    ]
   },
   {
    "cell_type": "code",
-   "execution_count": 6,
+   "execution_count": 14,
    "id": "693c3354-530b-4a40-a561-ed722d9bb1fa",
    "metadata": {},
    "outputs": [],
@@ -77,7 +77,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 7,
+   "execution_count": 15,
    "id": "5fa9a420-bd9a-4641-99c9-de0bcf448dbc",
    "metadata": {},
    "outputs": [],
@@ -90,19 +90,18 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 8,
+   "execution_count": 16,
    "id": "bf6afe56-e0f7-4fa2-a3a5-968bad11bf9c",
    "metadata": {},
    "outputs": [],
    "source": [
     "commands = {  \"overview\": 'overview_report',               \n",
     "                \"modulescan\": 'report_module_information',\n",
-    "                \"filescan\" : 'file_scan_report',\n",
-    "                \"directoryscan\" : 'directory_scan_report',\n",
+    "                \"filescan\" : 'scan_report',                \n",
     "                \"checks\" : 'report_implemented_tests',\n",
     "               \"version\" : 'display_version'} \n",
     "for key, value in commands.items():    \n",
-    "    output += f'## codeaudit {key}\\n' # newlines matter when creating markdown\n",
+    "    output += f'## Code Audit {key}\\n' # newlines matter when creating markdown\n",
     "    output += '```text\\n' # raw display    \n",
     "    func_name = value\n",
     "    output += getattr(codeaudit, func_name).__doc__\n",
@@ -114,7 +113,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 9,
+   "execution_count": 17,
    "id": "0335783c-7676-4099-94c5-c98cc8f2f205",
    "metadata": {
     "editable": true,
@@ -135,7 +134,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 10,
+   "execution_count": 18,
    "id": "4667d7ec-3727-4e2d-97b5-6f597c697ec7",
    "metadata": {},
    "outputs": [],
@@ -160,7 +159,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.13.1"
+   "version": "3.13.5"
   }
  },
  "nbformat": 4,

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/CONTRIBUTE.md

@@ -23,7 +23,7 @@ This simple tool is designed to be simple to use and maintain.
 
 **Pull Requests are welcome!** 
 
-When you contribute to Codeaudit, your contributions are made under the same license as the file you are working on. 
+When you contribute to Python Code Audit, your contributions are made under the same license as the file you are working on. 
 
 
 We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration. C4 is meant to provide a reusable optimal collaboration model for open source software projects. 

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/_toc.yml

@@ -7,11 +7,11 @@ parts:
   - file: features
   - file: userguide
     sections:
-    - file: codeauditoverview
-    - file: directoryscan
+    - file: codeauditoverview    
     - file: filescan
     - file: modulescan
     - file: codeauditchecks
+  - file: howtoscan
   - file: whysast
   - file: issues
   
@@ -51,17 +51,17 @@ parts:
   chapters:     
   #- file: astlines
   # - file: astlines2
+  - file: makeitbetter
   - file: complexitycheck
   - file: warnings
-  - file: codeauditcommands
+  - file: codeauditcommands  
   - file: changelog
   
   
-  
 # - caption: API Documentation
 #   chapters:  
-#   - file: modules
-      
+#   - file: codeaudit
+   
 
 - caption: About
   chapters:  

codeaudit-1.1.0/docs/codeaudit.rst

@@ -0,0 +1,12 @@
+codeaudit package
+=================
+
+
+codeaudit.api\_interfaces module
+--------------------------------
+
+.. automodule:: codeaudit.api_interfaces
+   :members:
+   :undoc-members:
+   :show-inheritance:
+

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
-# Overview of Codeaudit commands
-Codeaudit commands for: version: 0.10.0
+# Commands Overview
+Python Code Audit commands for: version: 1.1.0
 ```
 ----------------------------------------------------
  _                    __             _             
@@ -17,9 +17,8 @@ Depending on the command, a directory or file name must be specified. The output
 
 Commands:
   overview             Reports Complexity and statistics per Python file from a directory.
-  directoryscan        Reports potential security issues for all Python files found in a directory.
-  filescan             Reports potential security issues for a single Python file.
-  modulescan           Reports module information per file.
+  filescan             Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+  modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
 
@@ -27,7 +26,7 @@ Use the Codeaudit documentation to check the security of Python programs and mak
 Check https://simplifysecurity.nocomplexity.com/ 
 
 ```
-## codeaudit overview
+## Code Audit overview
 ```text
 Reports Complexity and statistics per Python file from a directory.
 
@@ -45,9 +44,9 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## codeaudit modulescan
+## Code Audit modulescan
 ```text
-Reports module information per file.str(object='') -> str
+Reports module vulnerability information.str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str
 
 Create a new string object from the given object. If encoding or
@@ -58,41 +57,14 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## codeaudit filescan
+## Code Audit filescan
 ```text
-Reports potential security issues for a single Python file.
-
-This function performs security validations on the specified file, 
+Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
+    
+This function performs security validations on the specified file or directory, 
 formats the results into an HTML report, and writes the output to an HTML file. 
 
-You can specify the name and directory for the generated HTML report.
-
-Parameters:
-    file_to_scan (str)      : The full path to the Python source file to be scanned.
-    filename (str, optional): The name of the HTML file to save the report to.
-                              Defaults to `DEFAULT_OUTPUT_FILE`.
-
-Returns:
-    None - A HTML report is written as output
-str(object='') -> str
-str(bytes_or_buffer[, encoding[, errors]]) -> str
-
-Create a new string object from the given object. If encoding or
-errors is specified, then the object must expose a data buffer
-that will be decoded using the given encoding and error handler.
-Otherwise, returns the result of object.__str__() (if defined)
-or repr(object).
-encoding defaults to 'utf-8'.
-errors defaults to 'strict'.
-```
-## codeaudit directoryscan
-```text
-Reports potential security issues for all Python files found in a directory.
-
-This function performs security validations on all files found in a specified directory.
-The result is written to a HTML report. 
-
-You can specify the name and directory for the generated HTML report.
+You can specify the name of the outputfile and directory for the generated HTML report. Make sure you chose the extension `.html` since the output file is a static html file.
 
 Parameters:
     file_to_scan (str)      : The full path to the Python source file to be scanned.
@@ -112,7 +84,7 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## codeaudit checks
+## Code Audit checks
 ```text
 
 Creates an HTML report of all implemented security checks.
@@ -143,7 +115,7 @@ or repr(object).
 encoding defaults to 'utf-8'.
 errors defaults to 'strict'.
 ```
-## codeaudit version
+## Code Audit version
 ```text
 Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/features.md

@@ -1,9 +1,9 @@
 # Features
 
-Codeaudit is a modern Python source code analyzer based on distrust.
+Python Code Audit is a modern Python source code analyzer based on distrust.
 
 
-:::{admonition} This Python Code Audit tool has the following features:
+:::{admonition} Python Code Audit tool has the following features:
 :class: tip
 
 
@@ -15,7 +15,7 @@ Codeaudit is a modern Python source code analyzer based on distrust.
 
 +++
 
-* **Module Usage & External Vulnerabilities**: Detects used modules and reports existing vulnerabilities in used modules.
+* **Module Usage & External Vulnerabilities**: Detects used modules and reports known vulnerabilities in used modules.
 
 
 +++
@@ -31,9 +31,9 @@ Codeaudit is a modern Python source code analyzer based on distrust.
 
 
 
-Codeaudit has the has the following capabilities:
+Python Code Audit has the has the following capabilities:
 
-*  Detect and reports complexity and statistics per Python file or from a directory. 
+*  Detect and reports complexity and statistics per Python file or from a directory. So you scan a complete Python package before running.
 
 Collected statistics are: 
     * Number_Of_Files
@@ -46,7 +46,7 @@ Collected statistics are:
 
 * All statistics are gathered per Python file. A summary is given for the inspected directory.
 
-*  Detect and reports which module are used within a Python file.
+*  Detect and reports which module are used within a Python file. 
 
 *  Reports valuable known security information on used modules.
 

{codeaudit-1.0.0 → codeaudit-1.1.0}/docs/filescan.md

@@ -1,9 +1,10 @@
 # Command `codeaudit filescan`
 
-The Codeaudit filescan command creates a report with valuable security information for potential security issues in the Python file.
+The Codeaudit filescan command creates a report with valuable security information for potential security issues in a Python file or Python package (directory with Python files).
+
 See section [validations](checksinformation) for all security checks implemented!
 
-The filescan module works per file.
+The filescan module works on single files or on packages (directory with Python files).
 
 To use the `codescan filescan` feature type in the console:
 
@@ -11,17 +12,31 @@ To use the `codescan filescan` feature type in the console:
 codeaudit filescan <INPUTFILE>  [OUTPUTFILE]
 ```
 
-The `<INPUTFILE>` is mandatory. Codeaudit will create a detailed security scan report for the given Python file.
+The `<INPUTFILE>` is mandatory. Codeaudit will create a detailed security scan report for the given Python file or directory.
 
 If you do not specify [OUTPUTFILE], a HTML output file, a HTML report file is created in the current directory and will be named codeaudit-report.html.
 
 When running codeaudit filescan detailed information is determined for a Python file based on more than 60 validations implemented.
 
-The filescan report shows all **potential** security issues that are detected in the source file.
+The filescan report shows all **potential** security issues that are detected in the source file(s).
+
 Per line a the in construct that can cause a security risks is shown, along with the relevant code lines where the issue is detected.
 
 ![Example view of filescan report](filescan.png)
 
+
+:::{note} 
+The `codeaudit filescan` command does **NOT** include all directories. This is done on purpose!
+
+The following directories are skipped by default:
+* `/docs`
+* `/docker`
+* `/dist`
+* `/tests`
+* all directories that start with `.` (dot) or `_` (underscore)
+:::
+
+
 ## Example
 
 ```
@@ -37,23 +52,23 @@ Example report of a [codeaudit filescan report](examples/filescan.html) that is
 
 ```
 NAME
-    codeaudit filescan - Reports potential security issues for a single Python file.
+    codeaudit filescan - Scans Python files or directories(packages) for vulnerabilities and reports potential issues.
 
 SYNOPSIS
-    codeaudit filescan FILE_TO_SCAN <flags>
+    codeaudit filescan INPUT_PATH <flags>
 
 DESCRIPTION
-    This function performs security validations on the specified file, 
+    This function performs security validations on the specified file or directory, 
     formats the results into an HTML report, and writes the output to an HTML file. 
 
-    You can specify the name and directory for the generated HTML report.
+    You can specify the name of the outputfile and directory for the generated HTML report. Make sure you chose the extension `.html` since the output file is a static html file.
 
 POSITIONAL ARGUMENTS
-    FILE_TO_SCAN
-        The full path to the Python source file to be scanned.
+    INPUT_PATH
 
 FLAGS
     -f, --filename=FILENAME
         Default: 'codeaudit-report.html'
         The name of the HTML file to save the report to. Defaults to `DEFAULT_OUTPUT_FILE`.
+
 ```

codeaudit-1.1.0/docs/howtoscan.md

@@ -0,0 +1,113 @@
+# How to do a SAST test?
+
+Running a Static Application Security Test (SAST) on Python code is essential for ensuring security. It’s also a straightforward [shift-left practice](https://nocomplexity.com/documents/simplifysecurity/intro.html#)  that takes only a fraction of your time yet can help you avoid serious security incidents.
+
+
+
+Follow these steps to perform a **static application security test (SAST)** on Python projects using **Python Code Audit**.  
+
+
+
+## 1. Install Python Code Audit
+
+[Python Code Audit](https://pypi.org/project/codeaudit/) is an open-source, zero-configuration tool that validates whether your Python code introduces potential security vulnerabilities.  
+
+Install (or update) it with:  
+
+```bash
+pip install -U codeaudit
+```
+
+:::{tip} 
+Even if you already have it installed, it’s recommended to run the command again to ensure you’re using the latest checks and features.  
+:::
+
+
+
+## 2. Clone the Repository you want to scan
+
+To clone a repository:  
+
+1. Go to the repository page (e.g., on GitHub).  
+2. Click the green **Code** button.  
+3. Copy the HTTPS URL.  
+4. Run:  
+
+```bash
+git clone <repository_url>
+```
+
+**Example:** Clone the [Pydantic library](https://github.com/pydantic/pydantic):  
+
+```bash
+git clone https://github.com/pydantic/pydantic.git
+```
+
+---
+
+## 3. Generate an Overview Report
+
+Navigate into the cloned repository, then run:  
+
+```bash
+codeaudit overview
+```
+
+This command provides:  
+- Total number of files  
+- Total lines of code  
+- Imported modules  
+- Complexity per file  
+- Overall complexity score  
+
+:::{tip} 
+📖 More detailed explanations of these metrics can be found in the [Python Code Audit documentation](https://nocomplexity.com/documents/codeaudit/intro.html).  
+:::
+
+
+
+---
+
+## 4. Run a Full Directory Scan
+
+To scan every file in the repository, use:  
+
+```bash
+codeaudit filescanscan <DIRECTORY> [OUTPUTFILE]
+```
+
+- `DIRECTORY`: Path to the repository folder (e.g., `pydantic`).  
+- `OUTPUTFILE` *(optional)*: Name of the HTML report file. If omitted, a default report is created.  
+
+**Example:** Scan the cloned Pydantic package:  
+
+```bash
+codeaudit filescan pydantic
+```
+
+---
+
+## 5. Review the Security Report
+
+The scan generates a static **HTML report** in the directory where you ran the command.  
+
+Example output path:  
+
+```
+file:///home/usainbolt/testdir/codeaudit-report.html
+```
+
+- On **Linux**, you can usually click the link directly in the terminal.  
+- On **Windows**, you may need to manually copy and paste the file path into your browser.  
+
+---
+
+✅ You now have a detailed static application security test (SAST) report highlighting potential security issues in your Python code. 
+
+
+:::{hint} 
+If you need assistance with solving or want short and clear advice on possible security risks for your context:
+
+Get expert security advice  from one of our [sponsors](sponsors)!
+
+:::