PyPI - owasp-depscan - Versions diffs - 4.2.6__tar.gz → 4.2.7__tar.gz - Mend

owasp-depscan 4.2.6tar.gz → 4.2.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (82) hide show

{owasp-depscan-4.2.6/owasp_depscan.egg-info → owasp-depscan-4.2.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.6
+Version: 4.2.7
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -21,6 +21,7 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: appthreat-vulnerability-db>=5.4.2
 Requires-Dist: defusedxml
+Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
@@ -55,7 +56,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 ### Linux distros
@@ -72,7 +73,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 ## Usage
@@ -130,13 +131,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
-Cache all vulnerabilities including os.
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
 Use the `/scan` endpoint to perform scans.
 ```bash
@@ -177,12 +171,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/README.md RENAMED Viewed

@@ -23,7 +23,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 ### Linux distros
@@ -40,7 +40,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 ## Usage
@@ -98,13 +98,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
-Cache all vulnerabilities including os.
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
 Use the `/scan` endpoint to perform scans.
 ```bash
@@ -145,12 +138,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/depscan/cli.py RENAMED Viewed

@@ -12,11 +12,14 @@ from rich.terminal_theme import MONOKAI
 from vdb.lib import config
 from vdb.lib import db as db_lib
 from vdb.lib.aqua import AquaSource
+from vdb.lib.config import data_dir
 from vdb.lib.gha import GitHubSource
 from vdb.lib.nvd import NvdSource
 from vdb.lib.osv import OSVSource
 from vdb.lib.utils import parse_purl
+import oras.client
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
     PrepareVexOptions,
@@ -29,7 +32,7 @@ from depscan.lib.analysis import (
 )
 from depscan.lib.audit import audit, risk_audit, risk_audit_map, type_audit_map
 from depscan.lib.bom import create_bom, get_pkg_by_type, get_pkg_list, submit_bom
-from depscan.lib.config import UNIVERSAL_SCAN_TYPE, license_data_dir, spdx_license_list
+from depscan.lib.config import UNIVERSAL_SCAN_TYPE, license_data_dir, spdx_license_list, vdb_database_url
 from depscan.lib.license import build_license_data, bulk_lookup
 from depscan.lib.logger import LOG, console
 from depscan.lib.utils import get_version
@@ -76,13 +79,6 @@ def build_args():
         dest="cache",
         help="Cache vulnerability information in platform specific " "user_data_dir",
     )
-    parser.add_argument(
-        "--cache-os",
-        action="store_true",
-        default=False,
-        dest="cache_os",
-        help="Cache OS vulnerability information in platform specific " "user_data_dir",
-    )
     parser.add_argument(
         "--sync",
         action="store_true",
@@ -455,17 +451,10 @@ async def cache():
     :return: a JSON response indicating the status of the caching operation.
     """
     db = db_lib.get()
-    q = request.args
     if not db_lib.index_count(db["index_file"]):
-        sources_list = [OSVSource(), NvdSource()]
-        if os.environ.get("GITHUB_TOKEN"):
-            sources_list.insert(0, GitHubSource())
-        # Include aqua source when ?os=true query string is passed
-        if q.get("os", "").lower() in ("true", "1"):
-            sources_list.insert(0, AquaSource())
-        for s in sources_list:
-            LOG.debug("Refreshing %s", s.__class__.__name__)
-            s.refresh()
+        oras_client = oras.client.OrasClient()
+        paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
+        LOG.debug(f'VDB data is stored at: {paths_list}')
         return {
             "error": "false",
             "message": "vulnerability database cached successfully",
@@ -607,7 +596,7 @@ def main():
     else:
         project_types_list = utils.detect_project_type(src_dir)
     db = db_lib.get()
-    run_cacher = args.cache or args.cache_os
+    run_cacher = args.cache
     areport_file = (
         args.report_file
         if args.report_file
@@ -746,26 +735,15 @@ def main():
             run_cacher = True
         else:
             LOG.debug("Vulnerability database loaded from %s", config.vdb_bin_file)
         sources_list = [OSVSource(), NvdSource()]
         if os.environ.get("GITHUB_TOKEN"):
             sources_list.insert(0, GitHubSource())
         if run_cacher:
-            if (
-                args.cache_os
-                or args.deep_scan
-                or project_type in ("docker", "podman", "yaml-manifest", "os")
-            ):
-                sources_list.insert(0, AquaSource())
-                LOG.info(
-                    "OS Vulnerability database would be downloaded for the "
-                    "first time. To avoid this step, manually download the "
-                    "vulnerability database using the ORAS cli and set the "
-                    "environment variable VDB_HOME."
-                )
-            for s in sources_list:
-                LOG.debug("Refreshing %s", s.__class__.__name__)
-                s.refresh()
-                run_cacher = False
+            oras_client = oras.client.OrasClient()
+            paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
+            LOG.debug(f'VDB data is stored at: {paths_list}')
+            run_cacher = False
         elif args.sync:
             for s in sources_list:
                 LOG.debug("Syncing %s", s.__class__.__name__)

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/depscan/lib/bom.py RENAMED Viewed

@@ -245,6 +245,69 @@ def resource_path(relative_path):
     return os.path.join(base_path, relative_path)
+def exec_cdxgen(bin=True):
+    if bin:
+        cdxgen_cmd = os.environ.get("CDXGEN_CMD", "cdxgen")
+        if not shutil.which(cdxgen_cmd):
+            local_bin = resource_path(
+                os.path.join(
+                    "local_bin",
+                    "cdxgen.exe" if sys.platform == "win32" else "cdxgen",
+                )
+            )
+            if not os.path.exists(local_bin):
+                LOG.warning(
+                    "%s command not found. Please install using npm install "
+                    "@cyclonedx/cdxgen or set PATH variable",
+                    cdxgen_cmd,
+                )
+                return False
+            try:
+                cdxgen_cmd = local_bin
+                # Set the plugins directory as an environment variable
+                os.environ["CDXGEN_PLUGINS_DIR"] = resource_path("local_bin")
+                return cdxgen_cmd
+            except Exception:
+                return None
+    else:
+        # cdxgen_cmd = (
+        #     os.environ.get("CDXGEN_CMD", "cdxgen")
+        #     if sys.platform != "win32"
+        #     else os.environ.get("CDXGEN_CMD", "cdxgen.CMD")
+        # )
+        lbin = os.getenv("APPDATA") if sys.platform == "win32" else "local_bin"
+        local_bin = resource_path(
+            os.path.join(
+                f"{lbin}\\npm\\" if sys.platform == "win32" else "local_bin",
+                "cdxgen" if sys.platform != "win32" else "cdxgen.cmd",
+            )
+        )
+        if not os.path.exists(local_bin):
+            LOG.warning(
+                "%s command not found. Please install using npm install "
+                "@cyclonedx/cdxgen or set PATH variable",
+                local_bin,
+            )
+            return None
+        try:
+            cdxgen_cmd = local_bin
+            # Set the plugins directory as an environment variable
+            os.environ["CDXGEN_PLUGINS_DIR"] = (
+                resource_path("local_bin")
+                if sys.platform != "win32"
+                else resource_path(
+                    os.path.join(
+                        lbin,
+                        "\\npm\\node_modules\\@cyclonedx\\cdxgen\\node_modules\\@cyclonedx\\cdxgen-plugins-bin\\plugins",
+                    )
+                )
+            )
+            return cdxgen_cmd
+        except Exception:
+            return None
 def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
     """
     Method to create BOM file by executing cdxgen command
@@ -303,27 +366,9 @@ def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
                     "Unable to generate SBoM with cdxgen server. Trying to "
                     "generate one locally."
                 )
-    cdxgen_cmd = os.environ.get("CDXGEN_CMD", "cdxgen")
-    if not shutil.which(cdxgen_cmd):
-        local_bin = resource_path(
-            os.path.join(
-                "local_bin",
-                "cdxgen.exe" if sys.platform == "win32" else "cdxgen",
-            )
-        )
-        if not os.path.exists(local_bin):
-            LOG.warning(
-                "%s command not found. Please install using npm install "
-                "@cyclonedx/cdxgen or set PATH variable",
-                cdxgen_cmd,
-            )
-            return False
-        try:
-            cdxgen_cmd = local_bin
-            # Set the plugins directory as an environment variable
-            os.environ["CDXGEN_PLUGINS_DIR"] = resource_path("local_bin")
-        except Exception:
-            pass
+    cdxgen_cmd = exec_cdxgen()
+    if not cdxgen_cmd:
+        cdxgen_cmd = exec_cdxgen(False)
     if project_type in ("docker",):
         LOG.info(
             "Generating Software Bill-of-Materials for container image %s. "
@@ -335,7 +380,10 @@ def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
         args.append("--deep")
         LOG.info("About to perform deep scan. This would take a while ...")
     args.append(src_dir)
-    exec_tool(args)
+    if cdxgen_cmd:
+        exec_tool(args)
+    else:
+        LOG.warning("Unable to locate cdxgen command. ")
     return os.path.exists(bom_file)

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/depscan/lib/config.py RENAMED Viewed

@@ -296,6 +296,8 @@ npm_app_info = {"name": "appthreat-depscan", "version": "1.0.0"}
 pypi_server = "https://pypi.org/pypi"
+vdb_database_url = "ghcr.io/appthreat/vdb:v5"
 # Package risk scoring using a simple weighted formula with no backing
 # research All parameters and their max value and weight can be overridden
 # using environment variables

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7/owasp_depscan.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.6
+Version: 4.2.7
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -21,6 +21,7 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: appthreat-vulnerability-db>=5.4.2
 Requires-Dist: defusedxml
+Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
@@ -55,7 +56,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - NVD
 - GitHub
 - NPM
-- Linux [vuln-list](https://github.com/appthreat/vuln-list) (Use `--cache-os`)
+- Linux [vuln-list](https://github.com/appthreat/vuln-list)
 ### Linux distros
@@ -72,7 +73,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Chainguard
 - Wolfi OS
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache-os` for the first time. dep-scan would also download the appropriate database based on project type automatically.
+Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `--cache` for the first time. dep-scan would also download the appropriate database based on project type automatically.
 ## Usage
@@ -130,13 +131,6 @@ In server mode, use `/cache` endpoint to cache the vulnerability database.
 curl http://0.0.0.0:7070/cache
 ```
-Cache all vulnerabilities including os.
-```bash
-# This would take over 5 minutes
-curl http://0.0.0.0:7070/cache?os=true
-```
 Use the `/scan` endpoint to perform scans.
 ```bash
@@ -177,12 +171,11 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--cache-os] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
+usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
               [--reports-dir REPORTS_DIR] [--no-error] [--deep]
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
-  --cache-os            Cache OS vulnerability information in platform specific user_data_dir
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/owasp_depscan.egg-info/requires.txt RENAMED Viewed

@@ -1,5 +1,6 @@
 appthreat-vulnerability-db>=5.4.2
 defusedxml
+oras
 PyYAML
 rich
 quart

{owasp-depscan-4.2.6 → owasp-depscan-4.2.7}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "owasp-depscan"
-version = "4.2.6"
+version = "4.2.7"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
@@ -8,6 +8,7 @@ authors = [
 dependencies = [
     "appthreat-vulnerability-db>=5.4.2",
     "defusedxml",
+    "oras",
     "PyYAML",
     "rich",
     "quart",