owasp-depscan 4.2.5__tar.gz → 4.2.7__tar.gz

{owasp-depscan-4.2.5/owasp_depscan.egg-info → owasp-depscan-4.2.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.5
+Version: 4.2.7
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -18,8 +18,18 @@ Classifier: Topic :: Security
 Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Provides-Extra: dev
 License-File: LICENSE
+Requires-Dist: appthreat-vulnerability-db>=5.4.2
+Requires-Dist: defusedxml
+Requires-Dist: oras
+Requires-Dist: PyYAML
+Requires-Dist: rich
+Requires-Dist: quart
+Provides-Extra: dev
+Requires-Dist: black; extra == "dev"
+Requires-Dist: flake8; extra == "dev"
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
 
 # Introduction
 
@@ -46,7 +56,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 
 ### Linux distros
 
@@ -63,7 +73,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
 
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 
 ## Usage
 
@@ -77,7 +87,7 @@ Use [ORAS cli](https://oras.land/cli/) to download the dep-scan binary and the v
 export VDB_HOME=depscan
 mkdir -p $VDB_HOME
 oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
-oras pull ghcr.io/appthreat/depscan:v4 -o $VDB_HOME
+oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 ```
 
 ### Single binary executables
@@ -121,13 +131,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
 
-Cache all vulnerabilities including os.
-
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
-
 Use the `/scan` endpoint to perform scans.
 
 ```bash
@@ -168,12 +171,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/README.md

@@ -23,7 +23,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 
 ### Linux distros
 
@@ -40,7 +40,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
 
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 
 ## Usage
 
@@ -54,7 +54,7 @@ Use [ORAS cli](https://oras.land/cli/) to download the dep-scan binary and the v
 export VDB_HOME=depscan
 mkdir -p $VDB_HOME
 oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
-oras pull ghcr.io/appthreat/depscan:v4 -o $VDB_HOME
+oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 ```
 
 ### Single binary executables
@@ -98,13 +98,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
 
-Cache all vulnerabilities including os.
-
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
-
 Use the `/scan` endpoint to perform scans.
 
 ```bash
@@ -145,12 +138,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/depscan/cli.py

@@ -12,11 +12,14 @@ from rich.terminal_theme import MONOKAI
 from vdb.lib import config
 from vdb.lib import db as db_lib
 from vdb.lib.aqua import AquaSource
+from vdb.lib.config import data_dir
 from vdb.lib.gha import GitHubSource
 from vdb.lib.nvd import NvdSource
 from vdb.lib.osv import OSVSource
 from vdb.lib.utils import parse_purl
 
+import oras.client
+
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
     PrepareVexOptions,
@@ -29,9 +32,10 @@ from depscan.lib.analysis import (
 )
 from depscan.lib.audit import audit, risk_audit, risk_audit_map, type_audit_map
 from depscan.lib.bom import create_bom, get_pkg_by_type, get_pkg_list, submit_bom
-from depscan.lib.config import UNIVERSAL_SCAN_TYPE, license_data_dir, spdx_license_list
+from depscan.lib.config import UNIVERSAL_SCAN_TYPE, license_data_dir, spdx_license_list, vdb_database_url
 from depscan.lib.license import build_license_data, bulk_lookup
 from depscan.lib.logger import LOG, console
+from depscan.lib.utils import get_version
 
 try:
     os.environ["PYTHONIOENCODING"] = "utf-8"
@@ -75,13 +79,6 @@ def build_args():
         dest="cache",
         help="Cache vulnerability information in platform specific " "user_data_dir",
     )
-    parser.add_argument(
-        "--cache-os",
-        action="store_true",
-        default=False,
-        dest="cache_os",
-        help="Cache OS vulnerability information in platform specific " "user_data_dir",
-    )
     parser.add_argument(
         "--sync",
         action="store_true",
@@ -239,6 +236,13 @@ def build_args():
         dest="cdxgen_server",
         help="cdxgen server url. Eg: http://cdxgen:9090",
     )
+    parser.add_argument(
+        "-v",
+        "--version",
+        help="Display the version",
+        action="version",
+        version="%(prog)s " + get_version(),
+    )
     return parser.parse_args()
 
 
@@ -383,6 +387,32 @@ def summarise(
             with open(bom_file, encoding="utf-8") as fp:
                 bom_data = json.load(fp)
                 if bom_data:
+                    # Add depscan information as metadata
+                    metadata = bom_data.get("metadata", {})
+                    tools = metadata.get("tools", {})
+                    bom_version = str(bom_data.get("version", 1))
+                    # Update the version
+                    if bom_version.isdigit():
+                        bom_version = int(bom_version) + 1
+                        bom_data["version"] = bom_version
+                    # Update the tools section
+                    if isinstance(tools, dict):
+                        components = tools.get("components", [])
+                        ds_version = get_version()
+                        ds_purl = f"pkg:pypi/owasp-depscan@{ds_version}"
+                        components.append(
+                            {
+                                "type": "application",
+                                "name": "owasp-depscan",
+                                "version": ds_version,
+                                "purl": ds_purl,
+                                "bom-ref": ds_purl,
+                            }
+                        )
+                        tools["components"] = components
+                        metadata["tools"] = tools
+                        bom_data["metadata"] = metadata
+
                     bom_data["vulnerabilities"] = pkg_vulnerabilities
                     # Look for any privado json file
                     if os.path.exists(privado_json_file):
@@ -421,17 +451,10 @@ async def cache():
     :return: a JSON response indicating the status of the caching operation.
     """
     db = db_lib.get()
-    q = request.args
     if not db_lib.index_count(db["index_file"]):
-        sources_list = [OSVSource(), NvdSource()]
-        if os.environ.get("GITHUB_TOKEN"):
-            sources_list.insert(0, GitHubSource())
-        # Include aqua source when ?os=true query string is passed
-        if q.get("os", "").lower() in ("true", "1"):
-            sources_list.insert(0, AquaSource())
-        for s in sources_list:
-            LOG.debug("Refreshing %s", s.__class__.__name__)
-            s.refresh()
+        oras_client = oras.client.OrasClient()
+        paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
+        LOG.debug(f'VDB data is stored at: {paths_list}')
         return {
             "error": "false",
             "message": "vulnerability database cached successfully",
@@ -573,7 +596,7 @@ def main():
     else:
         project_types_list = utils.detect_project_type(src_dir)
     db = db_lib.get()
-    run_cacher = args.cache or args.cache_os
+    run_cacher = args.cache
     areport_file = (
         args.report_file
         if args.report_file
@@ -712,26 +735,15 @@ def main():
             run_cacher = True
         else:
             LOG.debug("Vulnerability database loaded from %s", config.vdb_bin_file)
+
         sources_list = [OSVSource(), NvdSource()]
         if os.environ.get("GITHUB_TOKEN"):
             sources_list.insert(0, GitHubSource())
         if run_cacher:
-            if (
-                args.cache_os
-                or args.deep_scan
-                or project_type in ("docker", "podman", "yaml-manifest", "os")
-            ):
-                sources_list.insert(0, AquaSource())
-                LOG.info(
-                    "OS Vulnerability database would be downloaded for the "
-                    "first time. To avoid this step, manually download the "
-                    "vulnerability database using the ORAS cli and set the "
-                    "environment variable VDB_HOME."
-                )
-            for s in sources_list:
-                LOG.debug("Refreshing %s", s.__class__.__name__)
-                s.refresh()
-                run_cacher = False
+            oras_client = oras.client.OrasClient()
+            paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
+            LOG.debug(f'VDB data is stored at: {paths_list}')
+            run_cacher = False
         elif args.sync:
             for s in sources_list:
                 LOG.debug("Syncing %s", s.__class__.__name__)

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/depscan/lib/bom.py

@@ -245,6 +245,69 @@ def resource_path(relative_path):
     return os.path.join(base_path, relative_path)
 
 
+def exec_cdxgen(bin=True):
+    if bin:
+        cdxgen_cmd = os.environ.get("CDXGEN_CMD", "cdxgen")
+        if not shutil.which(cdxgen_cmd):
+            local_bin = resource_path(
+                os.path.join(
+                    "local_bin",
+                    "cdxgen.exe" if sys.platform == "win32" else "cdxgen",
+                )
+            )
+            if not os.path.exists(local_bin):
+                LOG.warning(
+                    "%s command not found. Please install using npm install "
+                    "@cyclonedx/cdxgen or set PATH variable",
+                    cdxgen_cmd,
+                )
+                return False
+            try:
+                cdxgen_cmd = local_bin
+                # Set the plugins directory as an environment variable
+                os.environ["CDXGEN_PLUGINS_DIR"] = resource_path("local_bin")
+                return cdxgen_cmd
+            except Exception:
+                return None
+
+    else:
+        # cdxgen_cmd = (
+        #     os.environ.get("CDXGEN_CMD", "cdxgen")
+        #     if sys.platform != "win32"
+        #     else os.environ.get("CDXGEN_CMD", "cdxgen.CMD")
+        # )
+        lbin = os.getenv("APPDATA") if sys.platform == "win32" else "local_bin"
+        local_bin = resource_path(
+            os.path.join(
+                f"{lbin}\\npm\\" if sys.platform == "win32" else "local_bin",
+                "cdxgen" if sys.platform != "win32" else "cdxgen.cmd",
+            )
+        )
+        if not os.path.exists(local_bin):
+            LOG.warning(
+                "%s command not found. Please install using npm install "
+                "@cyclonedx/cdxgen or set PATH variable",
+                local_bin,
+            )
+            return None
+        try:
+            cdxgen_cmd = local_bin
+            # Set the plugins directory as an environment variable
+            os.environ["CDXGEN_PLUGINS_DIR"] = (
+                resource_path("local_bin")
+                if sys.platform != "win32"
+                else resource_path(
+                    os.path.join(
+                        lbin,
+                        "\\npm\\node_modules\\@cyclonedx\\cdxgen\\node_modules\\@cyclonedx\\cdxgen-plugins-bin\\plugins",
+                    )
+                )
+            )
+            return cdxgen_cmd
+        except Exception:
+            return None
+
+
 def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
     """
     Method to create BOM file by executing cdxgen command
@@ -303,27 +366,9 @@ def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
                     "Unable to generate SBoM with cdxgen server. Trying to "
                     "generate one locally."
                 )
-    cdxgen_cmd = os.environ.get("CDXGEN_CMD", "cdxgen")
-    if not shutil.which(cdxgen_cmd):
-        local_bin = resource_path(
-            os.path.join(
-                "local_bin",
-                "cdxgen.exe" if sys.platform == "win32" else "cdxgen",
-            )
-        )
-        if not os.path.exists(local_bin):
-            LOG.warning(
-                "%s command not found. Please install using npm install "
-                "@cyclonedx/cdxgen or set PATH variable",
-                cdxgen_cmd,
-            )
-            return False
-        try:
-            cdxgen_cmd = local_bin
-            # Set the plugins directory as an environment variable
-            os.environ["CDXGEN_PLUGINS_DIR"] = resource_path("local_bin")
-        except Exception:
-            pass
+    cdxgen_cmd = exec_cdxgen()
+    if not cdxgen_cmd:
+        cdxgen_cmd = exec_cdxgen(False)
     if project_type in ("docker",):
         LOG.info(
             "Generating Software Bill-of-Materials for container image %s. "
@@ -335,7 +380,10 @@ def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
         args.append("--deep")
         LOG.info("About to perform deep scan. This would take a while ...")
     args.append(src_dir)
-    exec_tool(args)
+    if cdxgen_cmd:
+        exec_tool(args)
+    else:
+        LOG.warning("Unable to locate cdxgen command. ")
     return os.path.exists(bom_file)
 
 

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/depscan/lib/config.py

@@ -296,6 +296,8 @@ npm_app_info = {"name": "appthreat-depscan", "version": "1.0.0"}
 
 pypi_server = "https://pypi.org/pypi"
 
+vdb_database_url = "ghcr.io/appthreat/vdb:v5"
+
 # Package risk scoring using a simple weighted formula with no backing
 # research All parameters and their max value and weight can be overridden
 # using environment variables

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/depscan/lib/normalize.py

@@ -245,7 +245,7 @@ def dedup(project_type, pkg_list):
         version = None
         if res.matched_by:
             version = res.matched_by.split("|")[-1]
-        full_pkg = vid + ":" + package_issue.affected_location.package
+        full_pkg = package_issue.affected_location.package
         if package_issue.affected_location.vendor:
             full_pkg = (
                 f"{package_issue.affected_location.vendor}:"
@@ -253,6 +253,7 @@ def dedup(project_type, pkg_list):
             )
         if version:
             full_pkg = full_pkg + ":" + version
+        full_pkg = vid + ":" + full_pkg
         # Ignore any result with the exclude fix location
         # Required for debian
         if fixed_location == placeholder_exclude_version:

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/depscan/lib/utils.py

@@ -1,5 +1,6 @@
 import ast
 import os
+import pkg_resources
 import re
 from collections import defaultdict
 
@@ -366,3 +367,10 @@ def get_all_imports(src_dir):
                         import_list.add(pkg)
                         import_list.add(pkg.lower().replace("py", ""))
     return import_list
+
+
+def get_version():
+    """
+    Returns the version of depscan
+    """
+    return pkg_resources.get_distribution("owasp-depscan").version

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7/owasp_depscan.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.5
+Version: 4.2.7
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -18,8 +18,18 @@ Classifier: Topic :: Security
 Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Provides-Extra: dev
 License-File: LICENSE
+Requires-Dist: appthreat-vulnerability-db>=5.4.2
+Requires-Dist: defusedxml
+Requires-Dist: oras
+Requires-Dist: PyYAML
+Requires-Dist: rich
+Requires-Dist: quart
+Provides-Extra: dev
+Requires-Dist: black; extra == "dev"
+Requires-Dist: flake8; extra == "dev"
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
 
 # Introduction
 
@@ -46,7 +56,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 
 ### Linux distros
 
@@ -63,7 +73,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
 
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 
 ## Usage
 
@@ -77,7 +87,7 @@ Use [ORAS cli](https://oras.land/cli/) to download the dep-scan binary and the v
 export VDB_HOME=depscan
 mkdir -p $VDB_HOME
 oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
-oras pull ghcr.io/appthreat/depscan:v4 -o $VDB_HOME
+oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 ```
 
 ### Single binary executables
@@ -121,13 +131,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
 
-Cache all vulnerabilities including os.
-
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
-
 Use the `/scan` endpoint to perform scans.
 
 ```bash
@@ -168,12 +171,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/owasp_depscan.egg-info/requires.txt

@@ -1,5 +1,6 @@
-appthreat-vulnerability-db>=5.4.1
+appthreat-vulnerability-db>=5.4.2
 defusedxml
+oras
 PyYAML
 rich
 quart

{owasp-depscan-4.2.5 → owasp-depscan-4.2.7}/pyproject.toml

@@ -1,13 +1,14 @@
 [project]
 name = "owasp-depscan"
-version = "4.2.5"
+version = "4.2.7"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db>=5.4.1",
+    "appthreat-vulnerability-db>=5.4.2",
     "defusedxml",
+    "oras",
     "PyYAML",
     "rich",
     "quart",