oneport-depcheck 0.4.0__tar.gz

oneport_depcheck-0.4.0/PKG-INFO

@@ -0,0 +1,8 @@
+Metadata-Version: 2.4
+Name: oneport-depcheck
+Version: 0.4.0
+Requires-Dist: requests
+Requires-Dist: packaging
+Requires-Dist: click
+Requires-Dist: rich
+Dynamic: requires-dist

oneport_depcheck-0.4.0/depcheck/__init__.py

@@ -0,0 +1,5 @@
+__version__ = "0.4.0"
+__author__ = "Bitan Dutta"
+__email__ = "bitandutta6345@gmail.com"
+__description__ = "MNC-grade dependency vulnerability scanner"
+__url__ = "https://oneport.co.in"

oneport_depcheck-0.4.0/depcheck/audit_log.py

@@ -0,0 +1,78 @@
+import json
+import os
+from datetime import datetime, timezone
+
+AUDIT_LOG_PATH = os.path.join(os.path.expanduser("~"), ".depcheck", "audit.jsonl")
+
+
+def _ensure_dir():
+    os.makedirs(os.path.dirname(AUDIT_LOG_PATH), exist_ok=True)
+
+
+def log_scan(
+    packages_scanned: int,
+    findings: list[dict],
+    supply_chain: list[dict],
+    license_issues: list[dict],
+    policy_violations: list[dict],
+    scan_target: str = "unknown",
+    extra: dict = None,
+) -> str:
+    """Append one scan record to the audit log. Returns the log path."""
+    _ensure_dir()
+
+    severity_counts = {}
+    for f in findings:
+        sev = f.get("severity", "UNKNOWN")
+        severity_counts[sev] = severity_counts.get(sev, 0) + 1
+
+    record = {
+        "timestamp": datetime.now(timezone.utc).isoformat(),
+        "scan_target": scan_target,
+        "packages_scanned": packages_scanned,
+        "findings_count": len(findings),
+        "severity_breakdown": severity_counts,
+        "supply_chain_count": len(supply_chain),
+        "license_issues_count": len(license_issues),
+        "policy_violations_count": len(policy_violations),
+        "cve_ids": [
+            cve for f in findings
+            for cve in f.get("ids", [])
+            if cve.startswith("CVE-")
+        ][:20],
+        "extra": extra or {},
+    }
+
+    with open(AUDIT_LOG_PATH, "a", encoding="utf-8") as f:
+        f.write(json.dumps(record) + "\n")
+
+    return AUDIT_LOG_PATH
+
+
+def read_audit_log(last_n: int = 20) -> list[dict]:
+    """Read the last N scan records from the audit log."""
+    if not os.path.exists(AUDIT_LOG_PATH):
+        return []
+    records = []
+    try:
+        with open(AUDIT_LOG_PATH, encoding="utf-8") as f:
+            for line in f:
+                line = line.strip()
+                if line:
+                    try:
+                        records.append(json.loads(line))
+                    except json.JSONDecodeError:
+                        pass
+    except Exception:
+        pass
+    return records[-last_n:]
+
+
+def export_audit_log_pdf(output_path: str = "depcheck-audit.json") -> str:
+    """Export full audit log as JSON for compliance teams."""
+    records = read_audit_log(last_n=9999)
+    with open(output_path, "w") as f:
+        json.dump({"generated_at": datetime.now(timezone.utc).isoformat(),
+                   "total_scans": len(records),
+                   "scans": records}, f, indent=2)
+    return output_path

oneport_depcheck-0.4.0/depcheck/auth.py

@@ -0,0 +1,207 @@
+import os
+import json
+import hashlib
+import secrets
+import time
+from datetime import datetime, timezone
+
+CONFIG_DIR = os.path.join(os.path.expanduser("~"), ".depcheck")
+AUTH_FILE = os.path.join(CONFIG_DIR, "auth.json")
+KEYS_FILE = os.path.join(CONFIG_DIR, "api_keys.json")
+
+
+def _ensure_dir():
+    os.makedirs(CONFIG_DIR, exist_ok=True)
+
+
+def _load_auth() -> dict:
+    if not os.path.exists(AUTH_FILE):
+        return {}
+    with open(AUTH_FILE) as f:
+        return json.load(f)
+
+
+def _save_auth(data: dict):
+    _ensure_dir()
+    with open(AUTH_FILE, "w") as f:
+        json.dump(data, f, indent=2)
+
+
+def _load_keys() -> list[dict]:
+    if not os.path.exists(KEYS_FILE):
+        return []
+    with open(KEYS_FILE) as f:
+        return json.load(f)
+
+
+def _save_keys(keys: list[dict]):
+    _ensure_dir()
+    with open(KEYS_FILE, "w") as f:
+        json.dump(keys, f, indent=2)
+
+
+def generate_api_key(name: str, scopes: list = None) -> dict:
+    raw_key = "dc_" + secrets.token_urlsafe(32)
+    key_hash = hashlib.sha256(raw_key.encode()).hexdigest()
+
+    entry = {
+        "id": secrets.token_hex(8),
+        "name": name,
+        "key_hash": key_hash,
+        "key_prefix": raw_key[:8],
+        "scopes": scopes or ["scan:read", "scan:write"],
+        "created_at": datetime.now(timezone.utc).isoformat(),
+        "last_used": None,
+        "active": True,
+    }
+
+    keys = _load_keys()
+    keys.append(entry)
+    _save_keys(keys)
+
+    result = dict(entry)
+    result["raw_key"] = raw_key
+    return result
+
+
+def validate_api_key(raw_key: str) -> dict | None:
+    if not raw_key.startswith("dc_"):
+        return None
+    key_hash = hashlib.sha256(raw_key.encode()).hexdigest()
+    keys = _load_keys()
+    for key in keys:
+        if key.get("key_hash") == key_hash and key.get("active"):
+            key["last_used"] = datetime.now(timezone.utc).isoformat()
+            _save_keys(keys)
+            return key
+    return None
+
+
+def revoke_api_key(key_id: str) -> bool:
+    keys = _load_keys()
+    for key in keys:
+        if key["id"] == key_id:
+            key["active"] = False
+            _save_keys(keys)
+            return True
+    return False
+
+
+def list_api_keys() -> list[dict]:
+    keys = _load_keys()
+    return [
+        {k: v for k, v in key.items() if k != "key_hash"}
+        for key in keys
+    ]
+
+
+def login_oidc(provider="okta", client_id=None,
+               issuer_url=None) -> dict:
+    import webbrowser
+
+    client_id = client_id or os.environ.get(
+        "DEPCHECK_OIDC_CLIENT_ID", ""
+    )
+    issuer_url = issuer_url or os.environ.get(
+        "DEPCHECK_OIDC_ISSUER", ""
+    )
+
+    if not client_id or not issuer_url:
+        raise ValueError(
+            "Set DEPCHECK_OIDC_CLIENT_ID and DEPCHECK_OIDC_ISSUER.\n"
+            "Example:\n"
+            "  export DEPCHECK_OIDC_CLIENT_ID=your-client-id\n"
+            "  export DEPCHECK_OIDC_ISSUER=https://yourorg.okta.com"
+            "/oauth2/default"
+        )
+
+    import requests as req
+
+    device_url = f"{issuer_url}/v1/device/authorize"
+    token_url = f"{issuer_url}/v1/token"
+
+    resp = req.post(device_url, data={
+        "client_id": client_id,
+        "scope": "openid profile email",
+    }, timeout=10)
+
+    if resp.status_code != 200:
+        raise RuntimeError(f"Device auth failed: {resp.text[:200]}")
+
+    data = resp.json()
+    device_code = data["device_code"]
+    user_code = data["user_code"]
+    verification_uri = data["verification_uri"]
+    interval = data.get("interval", 5)
+    expires_in = data.get("expires_in", 300)
+
+    print(f"\n  Open: {verification_uri}")
+    print(f"  Code: {user_code}\n")
+    webbrowser.open(verification_uri)
+
+    deadline = time.time() + expires_in
+    while time.time() < deadline:
+        time.sleep(interval)
+        token_resp = req.post(token_url, data={
+            "client_id": client_id,
+            "device_code": device_code,
+            "grant_type":
+                "urn:ietf:params:oauth:grant-type:device_code",
+        }, timeout=10)
+
+        token_data = token_resp.json()
+        if "access_token" in token_data:
+            auth = {
+                "provider": provider,
+                "access_token": token_data["access_token"],
+                "id_token": token_data.get("id_token"),
+                "expires_at": (
+                    datetime.now(timezone.utc).timestamp()
+                    + token_data.get("expires_in", 3600)
+                ),
+                "logged_in_at": datetime.now(timezone.utc).isoformat(),
+            }
+            _save_auth(auth)
+            return auth
+
+        error = token_data.get("error")
+        if error not in ("authorization_pending", "slow_down"):
+            raise RuntimeError(f"Auth error: {error}")
+
+    raise TimeoutError("Login timed out.")
+
+
+def get_current_auth() -> dict | None:
+    auth = _load_auth()
+    if not auth:
+        return None
+    if time.time() > auth.get("expires_at", 0):
+        return None
+    return auth
+
+
+def logout() -> bool:
+    if os.path.exists(AUTH_FILE):
+        os.remove(AUTH_FILE)
+        return True
+    return False
+
+
+def require_auth(console=None) -> dict | None:
+    api_key = os.environ.get("DEPCHECK_API_KEY")
+    if api_key:
+        key_entry = validate_api_key(api_key)
+        if key_entry:
+            return {"type": "api_key", "name": key_entry["name"],
+                    "scopes": key_entry["scopes"]}
+        if console:
+            console.print(
+                "[yellow]Warning: DEPCHECK_API_KEY invalid.[/yellow]"
+            )
+        return None
+
+    auth = get_current_auth()
+    if auth:
+        return {"type": "oidc", "provider": auth.get("provider"),
+                "logged_in_at": auth.get("logged_in_at")}
+    return None

oneport_depcheck-0.4.0/depcheck/cache.py

@@ -0,0 +1,57 @@
+import json
+import hashlib
+import os
+from datetime import datetime, timezone, timedelta
+
+CACHE_DIR = os.path.join(os.path.expanduser("~"), ".depcheck", "cache")
+CACHE_TTL_HOURS = 24
+
+
+def _cache_path(key: str) -> str:
+    os.makedirs(CACHE_DIR, exist_ok=True)
+    hashed = hashlib.sha256(key.encode()).hexdigest()[:16]
+    return os.path.join(CACHE_DIR, f"{hashed}.json")
+
+
+def cache_get(key: str) -> dict | None:
+    path = _cache_path(key)
+    if not os.path.exists(path):
+        return None
+    try:
+        with open(path) as f:
+            entry = json.load(f)
+        cached_at = datetime.fromisoformat(entry["cached_at"])
+        if datetime.now(timezone.utc) - cached_at > timedelta(hours=CACHE_TTL_HOURS):
+            os.remove(path)
+            return None
+        return entry["data"]
+    except Exception:
+        return None
+
+
+def cache_set(key: str, data) -> None:
+    path = _cache_path(key)
+    try:
+        with open(path, "w") as f:
+            json.dump({"cached_at": datetime.now(timezone.utc).isoformat(), "data": data}, f)
+    except Exception:
+        pass
+
+
+def cache_clear() -> int:
+    if not os.path.exists(CACHE_DIR):
+        return 0
+    count = 0
+    for f in os.listdir(CACHE_DIR):
+        if f.endswith(".json"):
+            os.remove(os.path.join(CACHE_DIR, f))
+            count += 1
+    return count
+
+
+def cache_stats() -> dict:
+    if not os.path.exists(CACHE_DIR):
+        return {"entries": 0, "size_kb": 0}
+    files = [f for f in os.listdir(CACHE_DIR) if f.endswith(".json")]
+    size = sum(os.path.getsize(os.path.join(CACHE_DIR, f)) for f in files)
+    return {"entries": len(files), "size_kb": round(size / 1024, 1)}

oneport_depcheck-0.4.0/depcheck/cicd.py

@@ -0,0 +1,79 @@
+GITHUB_ACTIONS_TEMPLATE = """\
+name: Dependency Security Scan
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 9 * * 1'  # Every Monday 9am UTC
+
+jobs:
+  depcheck:
+    name: oneport-depcheck
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Install oneport-depcheck
+        run: pip install oneport-depcheck
+
+      - name: Run vulnerability scan
+        run: |
+          depcheck scan -r requirements.txt --fail-on CRITICAL,HIGH
+
+      - name: Generate SBOM
+        run: depcheck sbom -r requirements.txt
+
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: |
+            sbom.spdx.json
+            sbom.cyclonedx.json
+"""
+
+GITLAB_CI_TEMPLATE = """\
+depcheck:
+  stage: test
+  image: python:3.11
+  script:
+    - pip install -r requirements.txt
+    - pip install oneport-depcheck
+    - depcheck scan -r requirements.txt --fail-on CRITICAL,HIGH
+    - depcheck sbom -r requirements.txt
+  artifacts:
+    paths:
+      - sbom.spdx.json
+      - sbom.cyclonedx.json
+    expire_in: 30 days
+  only:
+    - main
+    - merge_requests
+"""
+
+
+def generate_github_actions(output_path: str = ".github/workflows/depcheck.yml") -> str:
+    import os
+    os.makedirs(os.path.dirname(output_path), exist_ok=True)
+    with open(output_path, "w") as f:
+        f.write(GITHUB_ACTIONS_TEMPLATE)
+    return output_path
+
+
+def generate_gitlab_ci(output_path: str = "depcheck-gitlab.yml") -> str:
+    with open(output_path, "w") as f:
+        f.write(GITLAB_CI_TEMPLATE)
+    return output_path