codeaudit 1.3.0__py3-none-any.whl → 1.4.0__py3-none-any.whl

codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.3.0"
+__version__ = "1.4.0"

codeaudit/altairplots.py

@@ -117,3 +117,29 @@ def issue_plot(input_dict):
     )
 
     return chart
+
+
+def issue_overview(df):
+    """
+    Create an Altair arc (donut) chart from a DataFrame 
+    with 'call' and 'count' columns, showing counts in the legend.
+    """
+    # Create a label combining call and count for the legend
+    df = df.copy()
+    df["label"] = df["call"] + " (" + df["count"].astype(str) + ")"
+
+    chart = (
+        alt.Chart(df)
+        .mark_arc(innerRadius=50, outerRadius=120)
+        .encode(
+            theta=alt.Theta("count:Q", title="Count"),
+            color=alt.Color("label:N", title="Calls (Count)"),
+            tooltip=["call", "count"]
+        )
+        .properties(
+            title="Overview of Security Weaknesses",
+            width=600,
+            height=600
+        )
+    )
+    return chart

codeaudit/api_interfaces.py

@@ -139,7 +139,7 @@ def read_input_file(filename):
 
 def get_construct_counts(input_file):
     """
-    Analyze a scan result and count occurrences of code constructs (aka weaknesses).
+    Analyze a Python file or package(directory) and count occurrences of code constructs (aka weaknesses).
 
     This function uses `filescan` API call to retrieve security-related information
     about the input file. This returns a dict. Then it counts how many times each code construct

codeaudit/api_reporting.py

@@ -0,0 +1,36 @@
+"""
+License GPLv3 or higher.
+
+(C) 2025 Created by Maikel Mardjan - https://nocomplexity.com/
+
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+
+
+Public API functions for Python Code Audit aka codeaudit on pypi.org
+
+All reporting API functions are created based on the Code Audit JSON format that is used when scan results are stored using the `codeaudit.api_interfaces.save_to_json` call!
+
+These API functions are on purpose opinionated for one goal: Keep things simple!
+So all results are returned as Pandas Dataframe. This makes things easier for further processing!
+
+"""
+import pandas as pd
+from collections import Counter
+
+def total_weaknesses(input_file):
+    """Returns the total weaknesses found"""
+    scan_result = input_file
+    counter = Counter()
+    
+    for file_info in scan_result.get('file_security_info', {}).values():
+        sast_result = file_info.get('sast_result', {})
+        for construct, occurence in sast_result.items(): #occurence is times the construct appears in a single file
+            counter[construct] += len(occurence)
+    
+    result = dict(counter)
+    df = pd.DataFrame(list(result.items()), columns=['call', 'count'])
+    return df

codeaudit/data/sastchecks.csv

@@ -64,6 +64,8 @@ Shelve Usage,shelve.DbfilenameShelf,High,"The `shelve` module uses `pickle` inte
 Unsafe Deserialization: multiprocessing,connection.recv,High,"Uses pickle, which can execute arbitrary code when receiving data. "
 Unsafe Deserialization: multiprocessing,multiprocessing.connection.Connection,High,Relies on pickle; dangerous with untrusted data. 
 Zipfile Extraction,zipfile.ZipFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Zstandard (zstd) decompression,compression.zstd.open,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Zstandard (zstd) decompression,compression.zstd.decompress,High,Vulnerable to path traversal attacks if used with untrusted archives.
 Gzip File Handling,gzip.open,Medium,Risk of decompression bombs or resource exhaustion with untrusted data.
 BZ2 File Handling,bz2.open,Medium,Decompressing untrusted data can lead to resource exhaustion attacks. 
 BZ2 File Handling,bz2.BZ2File,Medium,Decompressing untrusted data can lead to resource exhaustion attacks. 

codeaudit/pypi_package_scan.py

@@ -0,0 +1,113 @@
+"""
+License GPLv3 or higher.
+
+(C) 2025 Created by Maikel Mardjan - https://nocomplexity.com/
+
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+
+
+Public API functions for Python Code Audit aka codeaudit on pypi.org
+"""
+
+
+import gzip
+import zlib
+import tarfile
+import json
+import tempfile
+
+from urllib.request import Request, urlopen
+from urllib.error import URLError, HTTPError
+
+from codeaudit import __version__
+
+NOCX_HEADERS = {
+    "user-agent": f"Python Code Audit /{__version__} (https://github.com/nocomplexity/codeaudit)",
+    "Accept": "text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8",
+    "Accept-Encoding": "gzip, deflate,br",
+    "Connection": "keep-alive",  
+    "Upgrade-Insecure-Requests": "1",  
+}
+
+
+def get_pypi_package_info(package_name):
+    """JSON response, needed to get download URL of sdist"""
+    url = f"https://pypi.org/pypi/{package_name}/json"
+
+    try:
+        with urlopen(url) as response:
+            return json.load(response)
+    except HTTPError:        #When urlopen receives a 4xx (client error) or 5xx (server error) status code, it does not return the response object; instead, it immediately raises an exception called urllib.error.HTTPError. If a package is not found a 40x is send with json response {"message": "Not Found"}, I keep handling errors simple
+        return False # No package with this name found on pypi.org!
+    except URLError as e:
+        print(f"Network error: {e}")
+    return None
+
+def get_pypi_download_info(package_name):
+    """Retrieves the sdist download URL
+    Using the PyPI JSON API to get the sdist download URL (https://docs.pypi.org/api/json/)
+    Note JSON API result is a nested dict with all release info published, so finding the correct sdist download URL needs logic.
+    """
+    if get_pypi_package_info(package_name) :
+        data = get_pypi_package_info(package_name)   
+        releases_dict = data['releases']
+        # Convert the key-value pairs (items) into a list and get the last one
+        last_item = list(releases_dict.items())[-1] #last_item is a Python tuple
+        sdist_download_url = find_download_url(last_item,'source') # We want the download URL of the source, so *.tar.gz file
+        release_info = last_item[0] 
+        pypi_package_info= { "download_url" : sdist_download_url ,
+                            "release" : release_info}
+        return pypi_package_info
+    else:
+        #package does not exist
+        return False
+
+def find_download_url(data, source):
+    """
+    Given the PyPI release tuple and a python_version string,
+    return the URL of the first matching item.
+    """    
+    items = data[1] # Access the list of items directly via index 1 , data is a tuple    
+
+    for item in items:
+        if item.get("python_version") == source:
+            return item.get("url")
+
+    return None  # if no match found`
+
+
+def get_package_source(url, nocxheaders=NOCX_HEADERS, nocxtimeout=10):
+    """Retrieves a package source and extract so SAST scanning can be applied
+    Make sure to cleanup the temporary dir!! Using e.g. `tmp_handle.cleanup()`  # deletes everything
+    """
+    try:
+        request = Request(url, headers=nocxheaders or {})
+        with urlopen(request, timeout=nocxtimeout) as response:
+            content = response.read()
+            content_encoding = response.headers.get("Content-Encoding")
+            if content_encoding == "gzip":
+                content = gzip.decompress(content)
+            elif content_encoding == "deflate":
+                content = zlib.decompress(content, -zlib.MAX_WBITS)
+            elif content_encoding not in [None]:
+                raise ValueError(f"Unexpected content encoding: {content_encoding}")
+
+        # This directory will auto-delete when the context block exits
+        tmpdir_obj = tempfile.TemporaryDirectory(prefix="codeaudit_")
+        temp_dir = tmpdir_obj.name
+
+        tar_path = f"{temp_dir}/package.tar.gz"
+        with open(tar_path, "wb") as f:
+            f.write(content)
+
+        with tarfile.open(tar_path, "r:gz") as tar:
+            tar.extractall(path=temp_dir,filter='data')  #Possible risks are mitigated as far as possible, see architecture notes.
+
+        return temp_dir, tmpdir_obj  # return both so caller controls lifetime
+
+    except Exception as e:
+        print(e)

codeaudit/reporting.py

@@ -27,6 +27,9 @@ from codeaudit.totals import get_statistics , overview_count , overview_per_file
 from codeaudit.checkmodules import get_imported_modules , check_module_vulnerability , get_all_modules , get_imported_modules_by_file
 from codeaudit.htmlhelpfunctions import dict_to_html , json_to_html , dict_list_to_html_table
 from codeaudit import __version__
+from codeaudit.pypi_package_scan import get_pypi_download_info , get_package_source
+
+from codeaudit.api_interfaces import filescan
 
 from importlib.resources import files
 
@@ -104,7 +107,7 @@ def overview_report(directory, filename=DEFAULT_OUTPUT_FILE):
         
 
 def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
-    """Scans Python projects/files, reporting potential security weaknesses.
+    """Scans Python code or packages on PyPI.org on security weaknesses.
         
     This function performs security validations on the specified file or directory, 
     formats the results into an HTML report, and writes the output to an HTML file. 
@@ -119,7 +122,8 @@ def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
     Returns:
         None - A HTML report is written as output
     """
-    # Check if the input is a valid directory or a single valid Python file
+    # Check if the input is a valid directory or a single valid Python file 
+    # In case no local file or directory is found, check if the givin input is pypi package name
     file_path = Path(input_path)
     if file_path.is_dir():
         directory_scan_report(input_path , filename ) #create a package aka directory scan report
@@ -135,9 +139,22 @@ def scan_report(input_path , filename=DEFAULT_OUTPUT_FILE):
         html += '<br>'
         html += DISCLAIMER_TEXT
         create_htmlfile(html,filename)
+    elif get_pypi_download_info(input_path):
+        package_name = input_path #The variable input_path is now equal to the package name
+        print(f"Package: {package_name} exist on PyPI.org!")
+        print(f"Now SAST scanning package from the remote location: https://pypi.org/pypi/{package_name}")        
+        pypi_data = get_pypi_download_info(package_name)
+        url = pypi_data['download_url']
+        release = pypi_data['release']
+        print(url)
+        print(release)
+        src_dir, tmp_handle = get_package_source(url)
+        directory_scan_report(src_dir , filename , package_name, release ) #create scan report for a package or directory
+        # Cleaning up temp directory 
+        tmp_handle.cleanup()  # deletes everything from temp directory                
     else:
         #File is NOT a valid Python file, can not be parsed or directory is invalid.
-        print(f"Error: '{input_path}' isn't a valid Python file or directory path.")
+        print(f"Error: '{input_path}' isn't a valid Python file, directory path to a package or a package on PyPI.org.")
         
    
 
@@ -169,14 +186,14 @@ def single_file_report(filename , scan_output):
     df = df.sort_values(by="line") # sort by line number    
     html = f'<p>Number of potential security issues found: {number_of_issues}</p>'
     html += '<details>' 
-    html += '<summary>Click to see the details for found security issues.</summary>'         
+    html += '<summary>Click to view identified security weaknesses.</summary>'         
     html += df.to_html(escape=False,index=False)        
     html += '</details>'
     file_overview = overview_per_file(filename)    
     df_overview = pd.DataFrame([file_overview])
     html += '<br>'
-    html += '<details>' 
-    html += f'<summary>Click to see details for file {filename}</summary>'                 
+    html += '<details>'     
+    html += f'<summary>Click to see file details.</summary>'                 
     html += df_overview.to_html(escape=True,index=False)        
     html += '</details>'           
     #imported modules
@@ -190,7 +207,7 @@ def single_file_report(filename , scan_output):
     return html 
 
 
-def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
+def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE , package_name=None , release=None):
     """Reports potential security issues for all Python files found in a directory.
     
     This function performs security validations on all files found in a specified directory.
@@ -199,7 +216,7 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
     You can specify the name and directory for the generated HTML report.
 
     Parameters:
-        file_to_scan (str)      : The full path to the Python source file to be scanned.
+        directory_to_scan (str)      : The full path to the Python source files to be scanned. Can be present in temp directory.
         filename (str, optional): The name of the HTML file to save the report to.
                                   Defaults to `DEFAULT_OUTPUT_FILE`.
 
@@ -216,8 +233,12 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
     files_to_check = collect_python_source_files(directory_to_scan)
     html += '<h2>Directory scan report</h2>'         
     name_of_package = get_filename_from_path(directory_to_scan)
-    html += f'<p>Below the result of the Codeaudit scan of the package or directory:<b> {name_of_package}</b></p>' 
-    html += f'<p>Total Python files found: {len(files_to_check)}</p>'
+    if package_name is not None:
+        #Use real package name and retrieved release info
+        html += f'<p>Below the result of the Codeaudit scan of the package - Release :<b> {package_name} - {release} </b></p>'
+    else:
+        html += f'<p>Below the result of the Codeaudit scan of the directory:<b> {name_of_package}</b></p>' 
+    html += f'<p>Total Python files found: <b>{len(files_to_check)}</b></p>'
     number_of_files = len(files_to_check)
     print(f'Number of files that are checked for security issues:{number_of_files}')
     printProgressBar(0, number_of_files, prefix='Progress:', suffix='Complete', length=50)    
@@ -229,7 +250,8 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE):
             file_report_html = single_file_report(file_to_scan , scan_output)             
             name_of_file = get_filename_from_path(file_to_scan)            
             html += f'<h3>Result for file {name_of_file}</h3>'    
-            html += '<p>' + f'Location of the file: {file_to_scan} </p>'          
+            if package_name is None:
+                html += '<p>' + f'Location of the file: {file_to_scan} </p>'          
             html += file_report_html            
         else:
             file_name_with_no_issue = get_filename_from_path(file_to_scan)

{codeaudit-1.3.0.dist-info → codeaudit-1.4.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.3.0
+Version: 1.4.0
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues

{codeaudit-1.3.0.dist-info → codeaudit-1.4.0.dist-info}/RECORD

@@ -1,20 +1,22 @@
-codeaudit/__about__.py,sha256=RyFrPByQ9BxQaBrv6YLqT39zRak3ZUofqavXgXK5WEk,144
+codeaudit/__about__.py,sha256=-bxUcBaBrbGG65qQWVQjAxsqncjywKoDesQoM0JjIYc,144
 codeaudit/__init__.py,sha256=YGs6qU0BVHPGtXCS-vfBDLO4TOfJDLTWMgaFDTmi_Iw,157
-codeaudit/altairplots.py,sha256=pWW5ZQ8HGRjcwXEnME9d7OvM83P7a9-BtvMxj0RyEkE,3794
-codeaudit/api_interfaces.py,sha256=WhxFvGIxc6Jy-MVVJUPSC4f8ZZMHdcMhlTlnS-QARQM,11314
+codeaudit/altairplots.py,sha256=gBXN1_wxUmjzTNizvzbOeCKvUxpClGPdZmK7ICK1x68,4531
+codeaudit/api_interfaces.py,sha256=nnPhVPmodb-2MYCSiToT87uYZypMoX5oKg6WmLCjdiw,11336
+codeaudit/api_reporting.py,sha256=W8eutTJ0d-TENbv5cCmAOfu4GEp_RwiQ4XU5FCmfkoI,1736
 codeaudit/checkmodules.py,sha256=aiF34KO-9HZDRgVBtSwVFdeUxT5_Ka5VtmlfgoLgNVs,5582
 codeaudit/codeaudit.py,sha256=yQ7SHx8b3Q9rMu8nCVyyuu3wJr3DlO-BuSIz2ZwJFGM,3426
 codeaudit/complexitycheck.py,sha256=A3_a5v-U0YQr80pWQwSVvOsY_eQtqwNkQf9Txr9mNtQ,3722
 codeaudit/filehelpfunctions.py,sha256=tx7HDCyTkZuw8YieXipQXM8iRfrDfIVZyKb7vjmkEFY,4358
 codeaudit/htmlhelpfunctions.py,sha256=-SMsyfF7TRIfJkrUqoJuh7AoG1RVrYFsZfFljoxVHXc,3246
 codeaudit/issuevalidations.py,sha256=-WdaXT_R-P9w0JbQpJ5ngVoVhG9Yee2ri0aH5SoC1Ao,6404
-codeaudit/reporting.py,sha256=2Dz9sGCCQXesDO7I_S7uZmrsWTVxDCYCo0AmQyAHoN4,22918
+codeaudit/pypi_package_scan.py,sha256=JxgcCtJaVH9pAQ902gjmzgGGECt71r4gnFhqcZUy3OE,4872
+codeaudit/reporting.py,sha256=eXlslslMgG_4ATFpTEi5wtgwTMOgngAi-38Fg-xaYN4,24299
 codeaudit/security_checks.py,sha256=wEO_A054zXmLccWGREi6cNADa4IgoOPxHsq-Je5iMIY,2167
 codeaudit/simple.css,sha256=7auhDAUwjdluFIyoCskl-Vfh503prXKqftQrmo0-e_g,3565
 codeaudit/totals.py,sha256=b6OkzcMdqGKPwuGBKrwAeCxBOJxHa5FHauGWnEb-6zM,6387
-codeaudit/data/sastchecks.csv,sha256=Iny33kbGe5HMQgNusZuXywEQgZcRLPqI5NXVbv02EYc,9476
-codeaudit-1.3.0.dist-info/METADATA,sha256=990kulWcqEs8xpRZOc0Fo2lv_oJciPnmSV2mu5yzy1U,7505
-codeaudit-1.3.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-codeaudit-1.3.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
-codeaudit-1.3.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
-codeaudit-1.3.0.dist-info/RECORD,,
+codeaudit/data/sastchecks.csv,sha256=fIcyZgymCtAluPta9fTEk6a9DJ2AGJczZYRPUIQuSag,9738
+codeaudit-1.4.0.dist-info/METADATA,sha256=I-dT_-7IdlcdNEinahwY4CN-j6Ty8Q9wlrTbb84dqUk,7505
+codeaudit-1.4.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+codeaudit-1.4.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
+codeaudit-1.4.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
+codeaudit-1.4.0.dist-info/RECORD,,