PyPI - owasp-depscan - Versions diffs - 4.2.7__tar.gz → 4.3.0__tar.gz - Mend

owasp-depscan 4.2.7tar.gz → 4.3.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (84) hide show

{owasp-depscan-4.2.7 → owasp-depscan-4.3.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.2.7
+Version: 4.3.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -14,17 +14,19 @@ Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Security
 Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db>=5.4.2
+Requires-Dist: appthreat-vulnerability-db>=5.5.1
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black; extra == "dev"
 Requires-Dist: flake8; extra == "dev"
@@ -45,6 +47,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
 - Package vulnerability scanning is performed locally and is quite fast. No server is used!
 - Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information
+- Generate a Common Security Advisory Framework (CSAF) 2.0 document (check out the [CSAF Readme](contrib/CSAF_README.md))
 - Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)
 ![Dependency Tree with Insights](docs/tree1.jpg)
@@ -171,24 +174,33 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
-              [--reports-dir REPORTS_DIR] [--no-error] [--deep]
+usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
+               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
+  --csaf                Generate a CSAF
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma
-                        separated values accepted.
+                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
   --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
-  -i SRC_DIR, --src SRC_DIR
-                        Source directory
+  -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
+                        Source directory or container image or binary file
+  -o REPORT_FILE, --report_file REPORT_FILE
+                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
   --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
   --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
   --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
@@ -200,6 +212,16 @@ usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit]
                         ThreatDB password
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
+  --privado-json PRIVADO_JSON
+                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+  --server              Run depscan as a server
+  --server-host SERVER_HOST
+                        depscan server host
+  --server-port SERVER_PORT
+                        depscan server port
+  --cdxgen-server CDXGEN_SERVER
+                        cdxgen server url. Eg: http://cdxgen:9090
+  -v, --version         Display the version
 ```
 ### Scanning containers locally (Python version)

owasp-depscan-4.2.7/owasp_depscan.egg-info/PKG-INFO → owasp-depscan-4.3.0/README.md RENAMED Viewed

@@ -1,36 +1,3 @@
-Metadata-Version: 2.1
-Name: owasp-depscan
-Version: 4.2.7
-Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
-Author-email: Team AppThreat <cloud@appthreat.com>
-License: MIT
-Project-URL: Homepage, https://github.com/owasp-dep-scan/dep-scan
-Classifier: Development Status :: 5 - Production/Stable
-Classifier: Intended Audience :: Developers
-Classifier: Intended Audience :: System Administrators
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Topic :: Security
-Classifier: Topic :: Utilities
-Requires-Python: >=3.8
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db>=5.4.2
-Requires-Dist: defusedxml
-Requires-Dist: oras
-Requires-Dist: PyYAML
-Requires-Dist: rich
-Requires-Dist: quart
-Provides-Extra: dev
-Requires-Dist: black; extra == "dev"
-Requires-Dist: flake8; extra == "dev"
-Requires-Dist: pytest; extra == "dev"
-Requires-Dist: pytest-cov; extra == "dev"
 # Introduction
 OWASP dep-scan is a fully open-source security audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for CI environments with built-in build-breaker logic.
@@ -45,6 +12,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera
 - Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
 - Package vulnerability scanning is performed locally and is quite fast. No server is used!
 - Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information
+- Generate a Common Security Advisory Framework (CSAF) 2.0 document (check out the [CSAF Readme](contrib/CSAF_README.md))
 - Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)
 ![Dependency Tree with Insights](docs/tree1.jpg)
@@ -171,24 +139,33 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR
-              [--reports-dir REPORTS_DIR] [--no-error] [--deep]
+usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
+               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
   --cache               Cache vulnerability information in platform specific user_data_dir
+  --csaf                Generate a CSAF
   --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma
-                        separated values accepted.
+                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
   --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
-  -i SRC_DIR, --src SRC_DIR
-                        Source directory
+  -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
+                        Source directory or container image or binary file
+  -o REPORT_FILE, --report_file REPORT_FILE
+                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
   --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
   --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
   --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
@@ -200,6 +177,16 @@ usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit]
                         ThreatDB password
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
+  --privado-json PRIVADO_JSON
+                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+  --server              Run depscan as a server
+  --server-host SERVER_HOST
+                        depscan server host
+  --server-port SERVER_PORT
+                        depscan server port
+  --cdxgen-server CDXGEN_SERVER
+                        cdxgen server url. Eg: http://cdxgen:9090
+  -v, --version         Display the version
 ```
 ### Scanning containers locally (Python version)

{owasp-depscan-4.2.7 → owasp-depscan-4.3.0}/depscan/cli.py RENAMED Viewed

@@ -4,6 +4,7 @@
 import argparse
 import json
 import os
+import sys
 import tempfile
 from quart import Quart, request
@@ -11,7 +12,6 @@ from rich.panel import Panel
 from rich.terminal_theme import MONOKAI
 from vdb.lib import config
 from vdb.lib import db as db_lib
-from vdb.lib.aqua import AquaSource
 from vdb.lib.config import data_dir
 from vdb.lib.gha import GitHubSource
 from vdb.lib.nvd import NvdSource
@@ -20,6 +20,7 @@ from vdb.lib.utils import parse_purl
 import oras.client
+from depscan.lib.csaf import export_csaf, write_toml
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
     PrepareVexOptions,
@@ -31,8 +32,18 @@ from depscan.lib.analysis import (
     summary_stats,
 )
 from depscan.lib.audit import audit, risk_audit, risk_audit_map, type_audit_map
-from depscan.lib.bom import create_bom, get_pkg_by_type, get_pkg_list, submit_bom
-from depscan.lib.config import UNIVERSAL_SCAN_TYPE, license_data_dir, spdx_license_list, vdb_database_url
+from depscan.lib.bom import (
+    create_bom,
+    get_pkg_by_type,
+    get_pkg_list,
+    submit_bom,
+)
+from depscan.lib.config import (
+    UNIVERSAL_SCAN_TYPE,
+    license_data_dir,
+    spdx_license_list,
+    vdb_database_url,
+)
 from depscan.lib.license import build_license_data, bulk_lookup
 from depscan.lib.logger import LOG, console
 from depscan.lib.utils import get_version
@@ -77,7 +88,15 @@ def build_args():
         action="store_true",
         default=False,
         dest="cache",
-        help="Cache vulnerability information in platform specific " "user_data_dir",
+        help="Cache vulnerability information in platform specific "
+        "user_data_dir",
+    )
+    parser.add_argument(
+        "--csaf",
+        action="store_true",
+        default=False,
+        dest="csaf",
+        help="Generate a CSAF",
     )
     parser.add_argument(
         "--sync",
@@ -92,12 +111,15 @@ def build_args():
         action="store_true",
         default=True,
         dest="suggest",
-        help="DEPRECATED: Suggest is the default mode for determining fix " "version.",
+        help="DEPRECATED: Suggest is the default mode for determining fix "
+        "version.",
     )
     parser.add_argument(
         "--risk-audit",
         action="store_true",
-        default=True if os.getenv("ENABLE_OSS_RISK", "") in ["true", "1"] else False,
+        default=True
+        if os.getenv("ENABLE_OSS_RISK", "") in ["true", "1"]
+        else False,
         dest="risk_audit",
         help="Perform package risk audit (slow operation). Npm only.",
     )
@@ -137,7 +159,9 @@ def build_args():
     )
     parser.add_argument(
         "--reports-dir",
-        default=os.getenv("DEPSCAN_REPORTS_DIR", os.path.join(os.getcwd(), "reports")),
+        default=os.getenv(
+            "DEPSCAN_REPORTS_DIR", os.path.join(os.getcwd(), "reports")
+        ),
         dest="reports_dir",
         help="Reports directory",
     )
@@ -264,7 +288,9 @@ def scan(db, project_type, pkg_list, suggest_mode):
         LOG.debug("Empty package search attempted!")
     else:
         LOG.debug("Scanning %d oss dependencies for issues", len(pkg_list))
-    results, pkg_aliases, purl_aliases = utils.search_pkgs(db, project_type, pkg_list)
+    results, pkg_aliases, purl_aliases = utils.search_pkgs(
+        db, project_type, pkg_list
+    )
     # pkg_aliases is a dict that can be used to find the original vendor and
     # package name This way we consistently use the same names used by the
     # caller irrespective of how the result was obtained
@@ -321,7 +347,9 @@ def scan(db, project_type, pkg_list, suggest_mode):
                 "Re-checking our suggestion to ensure there are no further "
                 "vulnerabilities"
             )
-            override_results, _, _ = utils.search_pkgs(db, project_type, sug_pkg_list)
+            override_results, _, _ = utils.search_pkgs(
+                db, project_type, sug_pkg_list
+            )
             if override_results:
                 new_sug_dict = suggest_version(override_results)
                 LOG.debug("Received override results: %s", new_sug_dict)
@@ -427,7 +455,7 @@ def summarise(
                                 bom_data["services"] = []
                             bom_data["services"].insert(0, pservice)
                     with open(vex_file, mode="w", encoding="utf-8") as vexfp:
-                        json.dump(bom_data, vexfp)
+                        json.dump(bom_data, vexfp, indent=4)
                         LOG.info("VEX file %s generated successfully", vex_file)
         except Exception:
             LOG.warning("Unable to generate VEX file for this scan")
@@ -453,8 +481,8 @@ async def cache():
     db = db_lib.get()
     if not db_lib.index_count(db["index_file"]):
         oras_client = oras.client.OrasClient()
-        paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
-        LOG.debug(f'VDB data is stored at: {paths_list}')
+        paths_list = oras_client.pull(target=vdb_database_url, outdir=data_dir)
+        LOG.debug(f"VDB data is stored at: {paths_list}")
         return {
             "error": "false",
             "message": "vulnerability database cached successfully",
@@ -551,7 +579,8 @@ async def run_scan():
         else:
             return {
                 "error": "true",
-                "message": "Unable to generate SBoM. Check your input path or " "url.",
+                "message": "Unable to generate SBoM. Check your input path or "
+                "url.",
             }, 500
@@ -562,7 +591,9 @@ def run_server(args):
     :param args: Command line arguments passed to the function.
     """
     print(at_logo)
-    console.print(f"Depscan server running on {args.server_host}:{args.server_port}")
+    console.print(
+        f"Depscan server running on {args.server_host}:{args.server_port}"
+    )
     app.config["CDXGEN_SERVER_URL"] = args.cdxgen_server
     app.run(
         host=args.server_host,
@@ -583,9 +614,24 @@ def main():
     if not args.no_banner:
         print(at_logo)
     src_dir = args.src_dir_image
-    if not src_dir:
+    if not src_dir or src_dir == ".":
         src_dir = os.getcwd()
     reports_dir = args.reports_dir
+    if args.csaf:
+        toml_file_path = os.path.join(src_dir, "csaf.toml")
+        if not os.path.exists(toml_file_path):
+            LOG.info("CSAF toml not found, creating template in %s", src_dir)
+            write_toml(toml_file_path)
+            LOG.info(
+                "Please fill out the toml with your details and rerun depscan."
+            )
+            LOG.info("Check out our CSAF documentation for an explanation of "
+                     "this feature. https://github.com/owasp-dep-scan/dep-scan"
+                     "/blob/master/contrib/CSAF_README.md")
+            LOG.info("If you're just checking out how our generator works, "
+                     "feel free to skip filling out the toml and just rerun "
+                     "depscan.")
+            sys.exit(0)
     # Detect the project types and perform the right type of scan
     if args.project_type:
         project_types_list = args.project_type.split(",")
@@ -623,7 +669,9 @@ def main():
     for project_type in project_types_list:
         results = []
         report_file = areport_file.replace(".json", f"-{project_type}.json")
-        risk_report_file = areport_file.replace(".json", f"-risk.{project_type}.json")
+        risk_report_file = areport_file.replace(
+            ".json", f"-risk.{project_type}.json"
+        )
         LOG.info("=" * 80)
         if args.bom and os.path.exists(args.bom):
             bom_file = args.bom
@@ -660,7 +708,9 @@ def main():
             license_report_file = os.path.join(
                 reports_dir, "license-" + project_type + ".json"
             )
-            analyse_licenses(project_type, licenses_results, license_report_file)
+            analyse_licenses(
+                project_type, licenses_results, license_report_file
+            )
         if project_type in risk_audit_map:
             if args.risk_audit:
                 console.print(
@@ -708,14 +758,16 @@ def main():
             try:
                 audit_results = audit(project_type, pkg_list)
                 if audit_results:
-                    LOG.debug("Remote audit yielded %d results", len(audit_results))
+                    LOG.debug(
+                        "Remote audit yielded %d results", len(audit_results)
+                    )
                     results = results + audit_results
             except Exception as e:
                 LOG.error("Remote audit was not successful")
                 LOG.error(e)
                 results = []
-        # In case of docker, bom, or universal type, check if there are any npm packages that can be
-        # audited remotely
+        # In case of docker, bom, or universal type, check if there are any
+        # npm packages that can be audited remotely
         if project_type in ("podman", "docker", "oci", "bom", "universal"):
             npm_pkg_list = get_pkg_by_type(pkg_list, "npm")
             if npm_pkg_list:
@@ -734,15 +786,23 @@ def main():
         if not db_lib.index_count(db["index_file"]):
             run_cacher = True
         else:
-            LOG.debug("Vulnerability database loaded from %s", config.vdb_bin_file)
+            LOG.debug(
+                "Vulnerability database loaded from %s", config.vdb_bin_file
+            )
         sources_list = [OSVSource(), NvdSource()]
         if os.environ.get("GITHUB_TOKEN"):
             sources_list.insert(0, GitHubSource())
         if run_cacher:
+            LOG.debug(
+                "About to download vdb from %s. This might take a while ...",
+                vdb_database_url,
+            )
             oras_client = oras.client.OrasClient()
-            paths_list = oras_client.pull(target = vdb_database_url, outdir = data_dir)
-            LOG.debug(f'VDB data is stored at: {paths_list}')
+            paths_list = oras_client.pull(
+                target=vdb_database_url, outdir=data_dir
+            )
+            LOG.debug("VDB data is stored at: %s", paths_list)
             run_cacher = False
         elif args.sync:
             for s in sources_list:
@@ -758,7 +818,12 @@ def main():
             db, project_type, pkg_list, args.suggest
         )
         if vdb_results:
-            results = results + vdb_results
+            results += vdb_results
+        if args.csaf:
+            new_res = []
+            for r in results:
+                new_res.append(r.to_dict())
+            export_csaf(new_res, src_dir, reports_dir)
         # Summarise and print results
         summarise(
             project_type,

{owasp-depscan-4.2.7 → owasp-depscan-4.3.0}/depscan/lib/bom.py RENAMED Viewed

@@ -38,7 +38,7 @@ def exec_tool(args, cwd=None, stdout=subprocess.PIPE):
             stderr=subprocess.STDOUT,
             cwd=cwd,
             env=os.environ.copy(),
-            shell=False,
+            shell=True if sys.platform == "win32" else False,
             encoding="utf-8",
         )
         LOG.debug(cp.stdout)
@@ -245,8 +245,8 @@ def resource_path(relative_path):
     return os.path.join(base_path, relative_path)
-def exec_cdxgen(bin=True):
-    if bin:
+def exec_cdxgen(use_bin=True):
+    if use_bin:
         cdxgen_cmd = os.environ.get("CDXGEN_CMD", "cdxgen")
         if not shutil.which(cdxgen_cmd):
             local_bin = resource_path(
@@ -269,7 +269,8 @@ def exec_cdxgen(bin=True):
                 return cdxgen_cmd
             except Exception:
                 return None
+        else:
+            return cdxgen_cmd
     else:
         # cdxgen_cmd = (
         #     os.environ.get("CDXGEN_CMD", "cdxgen")

owasp-depscan 4.2.7__tar.gz → 4.3.0__tar.gz

Potentially problematic release.

owasp-depscan 4.2.7tar.gz → 4.3.0tar.gz