PyPI - codeaudit - Versions diffs - 1.7.0__tar.gz → 1.7.1__tar.gz - Mend

codeaudit 1.7.0tar.gz → 1.7.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (257) hide show

{codeaudit-1.7.0 → codeaudit-1.7.1}/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,29 @@
 # Change Log
+## Version 1.7.1:
+**Added**
+* **PyPI Update Indicator:** Added an indicator for the last update of PyPI packages, implemented for both the CLI version and the Dashboard version.
+* **Test Coverage:** Added extra tests to improve codebase stability.
+* **Dashboard Overview (WASM version):** The total number of weaknesses is now displayed directly in the overview tab.
+**Changed**
+* **CLI Report Optimization (Modules):** The CLI report now only displays modules when they are actually found.
+* **CLI Report Optimization (Tips):** The CLI report now only displays the tip to check external modules for vulnerabilities if vulnerabilities are actually present in a file.
+**Fixed**
+* **Windows 11 Compatibility:** Fixed an issue to ensure `codeaudit overview` works properly on Windows 11, specifically resolving a bug in the `count_lines_iterate` function.
+* **Altair Visuals:** Fixed stability issues with the Altair Visual overview in the `codeaudit overview` section, making it stable again.
+**Documentation**
+* General documentation updates and minor fixes.
 ## Version 1.7.0:
 **Added**

{codeaudit-1.7.0 → codeaudit-1.7.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.7.0
+Version: 1.7.1
 Summary: A modern Python security source code analyzer (SAST) based on distrust.
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -44,10 +44,9 @@ Description-Content-Type: text/markdown
 [![License](https://img.shields.io/badge/License-GPLv3-FFD700)](https://nocomplexity.com/documents/codeaudit/license.html)
 [![PyPI Downloads](https://static.pepy.tech/badge/codeaudit)](https://pepy.tech/projects/codeaudit)
-Python Code Audit - A modern Python source code analyzer based on distrust.
-Python Code Audit is a tool to find **security weaknesses** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit - A modern Python security source code analyzer based on distrust.
+Python Code Audit is a static application security testing (SAST) tool designed to identify **security weaknesses** in Python source code. It combines **powerful analysis features** with an intuitive workflow, making essential security audits both simple and engaging.
 This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
@@ -73,6 +72,7 @@ Python Code Audit has the following features:
 * **External Egress Detection**: Identifies embedded API keys and logic that enables communication with remote services, helping uncover hidden data exfiltration paths.
+* **CI/CD Ready:** Integrates seamlessly into any CI/CD workflow.
 * **HTML Reports**: All output is saved in simple, static HTML reports viewable in any browser.
@@ -84,11 +84,20 @@ Python Code Audit has the following features:
 ## Installation
+> [!TIP]
+> Try it instantly—no installs, no setup, no excuses.
+>
+> 👉 Launch the browser version [here](https://nocomplexity.com/codeauditapp/dashboardapp.html)
+It runs 100% locally in your browser using WebAssembly (WASM). See the power of the tool in under 60 seconds.
+No downloads. No dependencies. Just click and do a security audit on Python Code.
+Loved the browser version? Unlock the full power. For advanced security code inspections, CI/CD integration, and all professional features, install the complete Python package:
 ```console
 pip install -U codeaudit
 ```
-If you would like to test this security tool without installing it, simply use the WASM version [available here](https://nocomplexity.com/codeauditapp/dashboardapp.html).

{codeaudit-1.7.0 → codeaudit-1.7.1}/README.md RENAMED Viewed

@@ -10,10 +10,9 @@
 [![License](https://img.shields.io/badge/License-GPLv3-FFD700)](https://nocomplexity.com/documents/codeaudit/license.html)
 [![PyPI Downloads](https://static.pepy.tech/badge/codeaudit)](https://pepy.tech/projects/codeaudit)
-Python Code Audit - A modern Python source code analyzer based on distrust.
-Python Code Audit is a tool to find **security weaknesses** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit - A modern Python security source code analyzer based on distrust.
+Python Code Audit is a static application security testing (SAST) tool designed to identify **security weaknesses** in Python source code. It combines **powerful analysis features** with an intuitive workflow, making essential security audits both simple and engaging.
 This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.
@@ -39,6 +38,7 @@ Python Code Audit has the following features:
 * **External Egress Detection**: Identifies embedded API keys and logic that enables communication with remote services, helping uncover hidden data exfiltration paths.
+* **CI/CD Ready:** Integrates seamlessly into any CI/CD workflow.
 * **HTML Reports**: All output is saved in simple, static HTML reports viewable in any browser.
@@ -50,11 +50,20 @@ Python Code Audit has the following features:
 ## Installation
+> [!TIP]
+> Try it instantly—no installs, no setup, no excuses.
+>
+> 👉 Launch the browser version [here](https://nocomplexity.com/codeauditapp/dashboardapp.html)
+It runs 100% locally in your browser using WebAssembly (WASM). See the power of the tool in under 60 seconds.
+No downloads. No dependencies. Just click and do a security audit on Python Code.
+Loved the browser version? Unlock the full power. For advanced security code inspections, CI/CD integration, and all professional features, install the complete Python package:
 ```console
 pip install -U codeaudit
 ```
-If you would like to test this security tool without installing it, simply use the WASM version [available here](https://nocomplexity.com/codeauditapp/dashboardapp.html).

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/CONTRIBUTE.md RENAMED Viewed

@@ -22,6 +22,8 @@ These are all activities we’d like to get help with :
 - Website design and development
 :::
+Or just make a [donation](donate-label)!
 The **Codeaudit** code repository is hosted at [Github](https://github.com/nocomplexity/codeaudit).
 Simple Guidelines:

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/_toc.yml RENAMED Viewed

@@ -68,9 +68,7 @@ parts:
 - caption: Architecture
-  chapters:
-  #- file: astlines
-  # - file: astlines2
+  chapters:
   - file: architecture
   - file: makeitbetter
   - file: project_philosophy

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/about.md RENAMED Viewed

@@ -19,14 +19,14 @@ Currently, I lead initiatives at NoComplexity.com, an innovative IT company focu
 :gutter: 3
 :::{grid-item-card}
-:link: https://nocomplexity.com/documents/securityarchitecture/introduction.html
+:link: https://securitytesting.nocomplexity.com/
 :link-type: url
-{octicon}`book;2em;caption-text` **Open Security Reference Architecture**
+{octicon}`book;2em;caption-text` **Mastering Security Testing for Python**
 ^^^
-Cyber security can still be simple and effective.
-Use this Playbook to create better and faster security solutions for your security use case.
+Gain a deep understanding of the methodologies and specialised tools to conduct security validation for Python applications.
 :::
 :::{grid-item-card}
 :link: http://securitybydesign.nocomplexity.com/
 :link-type: url
@@ -37,31 +37,32 @@ Master the topic quickly with this eBook.
 :::
 :::{grid-item-card}
-:link: https://nocomplexity.com/documents/securitysolutions/intro.html
+:link: https://nocomplexity.com/documents/reports/SimplifySecurity.pdf
 :link-type: url
-{octicon}`book;2em;caption-text` **Open Security Solutions**
+{octicon}`book;2em;caption-text` **Simplify Cyber Manifest**
 ^^^
-Given the vast array of FOSS cybersecurity products available, this publication offers a handcrafted curated selection.
+A manifesto to revolutionize cybersecurity through simplification.
 :::
 :::{grid-item-card}
-:link: https://nocomplexity.com/documents/reports/SimplifySecurity.pdf
+:link: https://nocomplexity.github.io/pythonsecurity/
 :link-type: url
-{octicon}`book;2em;caption-text` **Simplify Cyber Manifest**
+{octicon}`book;2em;caption-text` **Python Security Handbook**
 ^^^
-A manifesto to revolutionize cybersecurity through simplification.
+This book will give you a deep understanding of how to develop secure Python applications. It also equips you with the knowledge needed to assess the security of Python code written by others.
 :::
 :::{grid-item-card}
-:link: https://nocomplexity.com/documents/simplifysecurity/intro.html#
+:link: https://nocomplexity.com/documents/securityarchitecture/introduction.html
 :link-type: url
-{octicon}`book;2em;caption-text` **Simplify Security**
+{octicon}`book;2em;caption-text` **Open Security Reference Architecture**
 ^^^
-Find open simple cyber solutions that work. Simplify cyber security to accelerate its effectiveness.
+Cyber security can still be simple and effective.
+Use this Playbook to create better and faster security solutions for your security use case.
 :::
 :::{grid-item-card}
 :link: https://nocomplexity.com/documents/simplifyprivacy/intro.html
 :link-type: url
@@ -71,6 +72,15 @@ This digital Playbook is all about protecting *your* digital privacy.
 :::
+:::{grid-item-card}
+:link: https://nocomplexity.com/documents/securitysolutions/intro.html
+:link-type: url
+{octicon}`book;2em;caption-text` **Open Security Solutions**
+^^^
+Given the vast array of FOSS cybersecurity products available, this publication offers a handcrafted curated selection.
+:::
 ::::
 % End of Cards grid

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/architecture.md RENAMED Viewed

@@ -56,13 +56,19 @@ We focus on delivering a simple, trustworthy security tool that performs its def
 The following design choices have been made for Python Code Audit:
-* **The Python AST library is used for complex validations.**
+* **The Python AST library is used to determine weaknesses and perform code validation.**
   * **Rationale:** As we are creating a Python-specific security checker, using the `ast` module provides **significant** advantages:
     1. Code is not executed during examination, which is a major benefit when validating potentially malicious code.
     2. Implementing basic checks using complex regex patterns would make the code and its maintenance unnecessarily difficult.
     3. Users can add extra validations in a simple, straightforward manner.
++++
 * **Python Code Audit is not designed for identifying weaknesses in web applications.**
   * **Rationale:** We check Python source code, but do not perform XSS or SQL injection checks. Every Python web application **should** use a battle-tested FOSS framework that prevents these vulnerabilities by design. Testing for these would require building a fuzzer rather than a static code scanner. There are other tools that **must** always be used for validating web applications.
++++
 * **Postpone code performance optimisations until truly necessary.**
   * **Rationale:** We aim for a loosely coupled architecture of key functions; performance optimisations can be introduced at a later stage if required. In practice, performance optimisations are rarely needed. Most time will be spent by humans analysing results before deciding whether to use a Python package, or making security improvements to their own code. The baseline performance for scanning a 10MB Python package should be the priority.
   * **Implication:** Ensure that performance optimisations can be applied later to specific functional blocks if they are found to be causing bottlenecks for users.

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/checks/assert_check.md RENAMED Viewed

@@ -129,3 +129,7 @@ For robust validation and error handling in production code, always use standard
 * [The assert statement - Python Documentation](https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement)
 * [The dangers of assert in Python](https://snyk.io/blog/the-dangers-of-assert-in-python/)
 * [Feature: Python assert should be consider harmful](https://community.sonarsource.com/t/feature-python-assert-should-be-consider-harmful/38501) But note that Sonar did not implement this check.
+* [CVE-2017-1000433](https://nvd.nist.gov/vuln/detail/CVE-2017-1000433) and see the related [issues/451](https://github.com/IdentityPython/pysaml2/issues/451)
+* [Advisory: pysaml2 Improper Authentication vulnerability](https://github.com/advisories/GHSA-924m-4pmx-c67h)
+* [Rethinking Python Asserts in SAST](https://nocomplexity.com/python-asserts/)

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/cimode.md RENAMED Viewed

@@ -71,7 +71,7 @@ If needed, you can also export the `json` output for further processing in a sep
 ### HTML report example
-```yml
+```yaml
 # SAST scan with Python Code Audit on GitLab.com
 image: python:3.13-slim
@@ -137,7 +137,7 @@ codeaudit-scan:
 For structured processing or integration with other tools:
-```yml
+```yaml
 codeaudit-scan:
   stage: scan

{codeaudit-1.7.0 → codeaudit-1.7.1}/docs/codeauditcommands.md RENAMED Viewed

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.7.0
+Python Code Audit commands for: version: 1.7.1
 ```
 ----------------------------------------------------
  _                    __             _

codeaudit-1.7.1/docs/examples/ca_api_example_basic.ipynb ADDED Viewed

@@ -0,0 +1,352 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "id": "75cc2707-bfcf-47f2-8e88-c0439925d089",
+   "metadata": {},
+   "source": [
+    "# Basic API functions usage\n",
+    "\n",
+    "Using the Python Code Audit APIs is simple and straightforward!\n",
+    "\n",
+    "If you have any questions, feel free to [get in touch!](../CONTRIBUTE)\n",
+    "\n",
+    "To use the Python Code Audit functions, simply import the desired function into your notebook or Python script.\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "58e7c8f7-c5b5-422d-a5a7-5e0c072924f4",
+   "metadata": {},
+   "source": [
+    "To use the **Python Code Audit** functions import the function you want to use in a notebook or in a Python file."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "6f7bfa6f-7f17-4dfc-a083-437d896e7f7b",
+   "metadata": {},
+   "source": [
+    "## Platform information\n",
+    "\n",
+    "The `platform_info()` function provides detailed information about the runtime environment.\n",
+    "\n",
+    "This information is essential for both security purposes and handling edge cases that may affect the behavior of the APIs.\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 1,
+   "id": "ce7f815a-92f0-4bcb-abf1-526e31115ec7",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from codeaudit.api_interfaces import platform_info"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 2,
+   "id": "2b6fd416-4756-4b9b-89d2-587b7805d9a9",
+   "metadata": {},
+   "outputs": [
+    {
+     "data": {
+      "text/plain": [
+       "{'python_version': '3.14.6', 'python_implementation': 'CPython'}"
+      ]
+     },
+     "execution_count": 2,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "platform_info()"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "6e4e3edb-9983-42af-aa91-c2ce3af689d8",
+   "metadata": {},
+   "source": [
+    "## Python Code Audit version information\n",
+    "\n",
+    "Good security validation starts with knowing which tools — and which versions — you have used.\n",
+    "\n",
+    "When you build your own APIs using this framework, all critical scanning API calls automatically include a version identifier.\n",
+    "\n",
+    "However, if you need to **retrieve the version information**  using a script (for example, when creating CI/CD scripts), you can easily do so using the following command:\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 3,
+   "id": "7c3df6ef-1bbf-400b-8b4e-4e5bd0700471",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from codeaudit.api_interfaces import version"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 4,
+   "id": "6258c5f0-4002-425d-b643-c6d491eb1335",
+   "metadata": {},
+   "outputs": [
+    {
+     "data": {
+      "text/plain": [
+       "{'name': 'Python_Code_Audit', 'version': '1.7.0'}"
+      ]
+     },
+     "execution_count": 4,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "version()"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "98422d63-ec29-49b2-bb4c-3912288cb584",
+   "metadata": {},
+   "source": [
+    "## Overview of vulnerability of a module\n",
+    "\n",
+    "This API retrieves security vulnerability data for external modules via the [OSV (Open Source Vulnerability) Database](https://nocomplexity.com/documents/securityarchitecture/references/vulnerabilitydatabases.html#vulnerability-databases).\n",
+    "\n",
+    "**How it Works**\n",
+    "- Input: Provide the name of the module you wish to query.\n",
+    "\n",
+    "- External Call: This function triggers an external request. Please note that the OSV Database is not designed for high-frequency, continuous polling. Use this API judiciously to avoid rate-limiting or performance issues.\n",
+    "\n",
+    "- Output: The API returns a Python dictionary containing comprehensive vulnerability details. This structured data allows you to build custom reporting and monitoring tools tailored to your needs.\n",
+    "\n",
+    "**Best Practices** \n",
+    "Validating external modules for known vulnerabilities should be a standard security requirement, not an optional step. Because security risk depends on how a module is implemented, you must evaluate the returned data to determine if a module meets the security standards for your specific use case.\n",
+    "\n",
+    "\n",
+    ":::{attention} \n",
+    "Checking against known vulnerabilities is not as strong as doing a SAST scan on code. \n",
+    "\n",
+    "**So always use Python Code Audit and check on (new)weaknesses!!**\n",
+    ":::\n",
+    "\n",
+    "\n",
+    "Too many tools only check Python programs and their dependencies (or used modules) against known vulnerabilities.\n",
+    "\n",
+    "Many security tools focus exclusively on auditing Python programs and their direct dependencies against lists of known vulnerabilities. These vulnerabilities are typically tracked and published in global repositories:\n",
+    "\n",
+    "- NVD & CVE: Security flaws are officially identified and catalogued using the Common Vulnerabilities and Exposures (CVE) system. These are central to the U.S. National Vulnerability Database (NVD).\n",
+    "\n",
+    "- [OSV Database](https://nocomplexity.com/documents/securityarchitecture/references/vulnerabilitydatabases.html#vulnerability-databases): In addition to the NVD, many Open Source Software (OSS) vulnerabilities are aggregated in the Google-managed OSV (Open Source Vulnerability) database, which provides a more distributed and developer-friendly format for many ecosystems.\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "29123ac5-93a6-4a62-aadf-46deb3332631",
+   "metadata": {},
+   "source": [
+    "### How to use this API call"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 5,
+   "id": "1e5c0e2d-67f4-4188-ab1f-c7ca3e232f0d",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from codeaudit.api_interfaces import get_module_vulnerability_info"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 6,
+   "id": "fcd4390b-842b-436e-b1a8-5eb3c98a9cbb",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "vulnerability_info = get_module_vulnerability_info(\"pandas\")  #now the vulnerabilty information , if available, is retrieved "
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 7,
+   "id": "de511475-53b0-4a1c-83e0-f20118ccb39a",
+   "metadata": {},
+   "outputs": [
+    {
+     "data": {
+      "text/plain": [
+       "{'name': 'Python_Code_Audit',\n",
+       " 'version': '1.7.0',\n",
+       " 'generated_on': '2026-06-25 10:29',\n",
+       " 'pandas_vulnerability_info': [{'id': 'PYSEC-2020-73',\n",
+       "   'summary': '',\n",
+       "   'details': \"** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner.\",\n",
+       "   'aliases': ['CVE-2020-13091'],\n",
+       "   'severity': []}]}"
+      ]
+     },
+     "execution_count": 7,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "vulnerability_info  #shows retrieved vulnerability information for external modules."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "b86b60b3-af3c-4777-b0cc-788aad12148f",
+   "metadata": {},
+   "source": [
+    "### Known vulnerabilities of the Python module: `requests`"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "2f8ee3d5-2258-4b4d-b942-5868e7f017a3",
+   "metadata": {},
+   "source": [
+    "An example for the output of known vulnerabilities of a well known Python module: `requests`\n",
+    "\n",
+    "If you see this output ask the question if you really should use this module!"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 8,
+   "id": "e9fe4117-0494-452d-9eb5-044be59ea8a8",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "vulnerability_info = get_module_vulnerability_info(\"requests\")  #now the vulnerabilty information , if available, is retrieved "
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 9,
+   "id": "bdcc1fb0-0efc-4821-ac40-9cc13271af55",
+   "metadata": {},
+   "outputs": [
+    {
+     "data": {
+      "text/plain": [
+       "{'name': 'Python_Code_Audit',\n",
+       " 'version': '1.7.0',\n",
+       " 'generated_on': '2026-06-25 10:29',\n",
+       " 'requests_vulnerability_info': [{'id': 'GHSA-652x-xj99-gmcc',\n",
+       "   'summary': 'Exposure of Sensitive Information to an Unauthorized Actor in Requests',\n",
+       "   'details': 'Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.',\n",
+       "   'aliases': ['CVE-2014-1830', 'PYSEC-2014-14'],\n",
+       "   'severity': [{'type': 'CVSS_V4',\n",
+       "     'score': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}]},\n",
+       "  {'id': 'GHSA-9hjg-9r4m-mvj7',\n",
+       "   'summary': 'Requests vulnerable to .netrc credentials leak via malicious URLs',\n",
+       "   'details': '### Impact\\n\\nDue to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.\\n\\n### Workarounds\\nFor older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)).\\n\\n### References\\nhttps://github.com/psf/requests/pull/6965\\nhttps://seclists.org/fulldisclosure/2025/Jun/2',\n",
+       "   'aliases': ['CVE-2024-47081'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}]},\n",
+       "  {'id': 'GHSA-9wx4-h78v-vm56',\n",
+       "   'summary': 'Requests `Session` object does not verify requests after making first request with verify=False',\n",
+       "   'details': \"When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later.\\n\\nThis occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity.\\n\\nThis behavior affects versions of `requests` prior to 2.32.0.\",\n",
+       "   'aliases': ['CVE-2024-35195'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N'}]},\n",
+       "  {'id': 'GHSA-cfj3-7x9c-4p3h',\n",
+       "   'summary': 'Exposure of Sensitive Information to an Unauthorized Actor in Requests',\n",
+       "   'details': 'Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.',\n",
+       "   'aliases': ['CVE-2014-1829', 'PYSEC-2014-13'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'},\n",
+       "    {'type': 'CVSS_V4',\n",
+       "     'score': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}]},\n",
+       "  {'id': 'GHSA-gc5v-m9x4-r6x2',\n",
+       "   'summary': 'Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function',\n",
+       "   'details': '### Impact\\nThe `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.\\n\\n### Affected usages\\n**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.\\n\\n### Remediation\\nUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.\\n\\nIf developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.',\n",
+       "   'aliases': ['CVE-2026-25645'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N'}]},\n",
+       "  {'id': 'GHSA-j8r2-6x86-q33q',\n",
+       "   'summary': 'Unintended leak of Proxy-Authorization header in requests',\n",
+       "   'details': \"### Impact\\n\\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\\n\\n**Current vulnerable behavior(s):**\\n\\n1. HTTP → HTTPS: **leak**\\n2. HTTPS → HTTP: **no leak**\\n3. HTTPS → HTTPS: **leak**\\n4. HTTP → HTTP: **no leak**\\n\\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\\n\\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\\n\\n### Patches\\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\\n\\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\\n\\n### Workarounds\\nFor users who are not able to update Requests immediately, there is one potential workaround.\\n\\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\\n```\\nimport requests\\nr = requests.get('http://github.com/', allow_redirects=False)\\n```\\n\\n### Credits\\n\\nThis vulnerability was discovered and disclosed by the following individuals.\\n\\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\\nTobias Funke, (tobiasfunke93@gmail.com)\",\n",
+       "   'aliases': ['CVE-2023-32681', 'PYSEC-2023-74'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}]},\n",
+       "  {'id': 'GHSA-pg2w-x9wp-vw92',\n",
+       "   'summary': 'Python Requests Session Fixation',\n",
+       "   'details': 'The `resolve_redirects` function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.',\n",
+       "   'aliases': ['CVE-2015-2296', 'PYSEC-2015-17'],\n",
+       "   'severity': []},\n",
+       "  {'id': 'GHSA-x84v-xcm2-53pg',\n",
+       "   'summary': 'Insufficiently Protected Credentials in Requests',\n",
+       "   'details': 'The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.',\n",
+       "   'aliases': ['CVE-2018-18074', 'PYSEC-2018-28'],\n",
+       "   'severity': [{'type': 'CVSS_V3',\n",
+       "     'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}]},\n",
+       "  {'id': 'PYSEC-2014-13',\n",
+       "   'summary': '',\n",
+       "   'details': 'Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.',\n",
+       "   'aliases': ['CVE-2014-1829', 'GHSA-cfj3-7x9c-4p3h'],\n",
+       "   'severity': []},\n",
+       "  {'id': 'PYSEC-2014-14',\n",
+       "   'summary': '',\n",
+       "   'details': 'Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.',\n",
+       "   'aliases': ['CVE-2014-1830', 'GHSA-652x-xj99-gmcc'],\n",
+       "   'severity': []},\n",
+       "  {'id': 'PYSEC-2015-17',\n",
+       "   'summary': '',\n",
+       "   'details': 'The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.',\n",
+       "   'aliases': ['CVE-2015-2296', 'GHSA-pg2w-x9wp-vw92'],\n",
+       "   'severity': []},\n",
+       "  {'id': 'PYSEC-2018-28',\n",
+       "   'summary': '',\n",
+       "   'details': 'The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.',\n",
+       "   'aliases': ['CVE-2018-18074', 'GHSA-x84v-xcm2-53pg'],\n",
+       "   'severity': []},\n",
+       "  {'id': 'PYSEC-2023-74',\n",
+       "   'summary': '',\n",
+       "   'details': 'Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\\n\\n',\n",
+       "   'aliases': ['CVE-2023-32681', 'GHSA-j8r2-6x86-q33q'],\n",
+       "   'severity': []}]}"
+      ]
+     },
+     "execution_count": 9,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "vulnerability_info"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.14.6"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

codeaudit 1.7.0__tar.gz → 1.7.1__tar.gz

codeaudit 1.7.0tar.gz → 1.7.1tar.gz