owasp-depscan 4.3.2__py3-none-any.whl → 4.3.3__py3-none-any.whl

depscan/cli.py

@@ -20,6 +20,7 @@ from vdb.lib.utils import parse_purl
 
 import oras.client
 
+from depscan.lib import privado, utils, github
 from depscan.lib.csaf import export_csaf, write_toml
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
@@ -114,6 +115,12 @@ def build_args():
         help="DEPRECATED: Suggest is the default mode for determining fix "
         "version.",
     )
+    parser.add_argument(
+        "--no-suggest",
+        action="store_false",
+        dest="suggest",
+        help="Disable suggest mode",
+    )
     parser.add_argument(
         "--risk-audit",
         action="store_true",
@@ -791,8 +798,20 @@ def main():
             )
 
         sources_list = [OSVSource(), NvdSource()]
-        if os.environ.get("GITHUB_TOKEN"):
-            sources_list.insert(0, GitHubSource())
+        github_token = os.environ.get("GITHUB_TOKEN")
+        if github_token:
+            github_client = github.GitHub(github_token)
+
+            if not github_client.can_authenticate():
+                LOG.error("The GitHub personal access token supplied appears to be invalid or expired. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory")
+            else:
+                sources_list.insert(0, GitHubSource())
+                scopes = github_client.get_token_scopes()
+                if not scopes is None and len(scopes) > 0:
+                    LOG.warning(
+                        "The GitHub personal access token was granted more permissions than is necessary for depscan to operate, including the scopes of: %s. It is recommended to use a dedicated token with only the minimum scope necesary for depscan to operate. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory",
+                        ', '.join([scope for scope in scopes])
+                    )
         if run_cacher:
             LOG.debug(
                 "About to download vdb from %s. This might take a while ...",
@@ -804,6 +823,7 @@ def main():
             )
             LOG.debug("VDB data is stored at: %s", paths_list)
             run_cacher = False
+            db = db_lib.get()
         elif args.sync:
             for s in sources_list:
                 LOG.debug("Syncing %s", s.__class__.__name__)

depscan/lib/github.py

@@ -0,0 +1,62 @@
+from github import Github, Auth
+from depscan.lib import config
+import httpx
+
+
+class GitHub:
+    # The GitHub instance object from the PyGithub library
+    github = None
+    github_token = None
+
+
+    def __init__(self, github_token: str) -> None:
+        self.github = Github(auth=Auth.Token(github_token))
+        self.github_token = github_token
+
+
+    def can_authenticate(self) -> bool:
+        """
+        Calls the GitHub API to determine if the token is valid
+
+        :return: Flag indicating whether authentication was successful or not
+        """
+        headers = {"Authorization": f"token {self.github_token}"}
+
+        response = httpx.get(
+            url='https://api.github.com/',
+            headers=headers,
+            follow_redirects=True,
+            timeout=config.request_timeout_sec
+        )
+
+        if response.status_code == 401:
+            return False
+        else:
+            return True
+
+
+    def get_token_scopes(self) -> list:
+        """
+        Provides the scopes associated to the access token provided in the environment variable
+        Only classic personal access tokens will result in scopes returned from the GitHub API
+
+        :return: List of token scopes
+        """
+        headers = {"Authorization": f"token {self.github_token}"}
+
+        response = httpx.get(
+            url='https://api.github.com/',
+            headers=headers,
+            follow_redirects=True,
+            timeout=config.request_timeout_sec
+        )
+
+        oauth_scopes = response.headers.get('x-oauth-scopes')
+
+        if not oauth_scopes is None:
+            if oauth_scopes == '':
+                return None
+            else:
+                return oauth_scopes.split(', ')
+
+        return None

{owasp_depscan-4.3.2.dist-info → owasp_depscan-4.3.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.3.2
+Version: 4.3.3
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -26,12 +26,14 @@ Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: PyGithub
 Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black ; extra == 'dev'
 Requires-Dist: flake8 ; extra == 'dev'
 Requires-Dist: pytest ; extra == 'dev'
 Requires-Dist: pytest-cov ; extra == 'dev'
+Requires-Dist: httpretty ; extra == 'dev'
 
 # Introduction
 
@@ -174,36 +176,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -213,7 +239,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -343,9 +372,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp_depscan-4.3.2.dist-info → owasp_depscan-4.3.3.dist-info}/RECORD

@@ -1,11 +1,12 @@
 depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/cli.py,sha256=Me9Ue01W7xUEFPUaYFuXY6xCR3Xw1aOWXlUVZDU_ui8,30524
+depscan/cli.py,sha256=MNjREJU9fdQpNfbMZmJpvU5pRjRZE5qu0CFm7GRt3H0,31679
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 depscan/lib/analysis.py,sha256=TIK0TuyxOng7VbDdweTndyouwMHDoTo-JjjzxOTiCxk,42085
 depscan/lib/audit.py,sha256=rUkrlioaACfKXb7rLhJoSH4F3btpWLQ6OoSFwV0H62w,1246
 depscan/lib/bom.py,sha256=_d_ITu2-aFGerqekIFlQiDhFxKdB5C83bFod7YFxldo,16247
 depscan/lib/config.py,sha256=9tyjo6uNdlJWyNNVfYD5tEt1wWexEyImMmuO8bK9Yns,12562
 depscan/lib/csaf.py,sha256=PkVXesHbZgc5b7PD0n05oqGkKdg7F_KECtuLnrJMGxo,85499
+depscan/lib/github.py,sha256=N48YUA8U74CzvHsFn2gpa8qqvNdhxp5adjdGjA4NbKY,1728
 depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
 depscan/lib/logger.py,sha256=PdGrJstLmvwpMnlYx1zZ12jxz4kmbGm5kTSRs_8UcK4,1529
 depscan/lib/normalize.py,sha256=k8OlhSjzhGieqK1BLJNABRuz2wcwO4J8Ce8lYUsaxik,10008
@@ -62,9 +63,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
 vendor/spdx/json/licenses.json,sha256=PU1SD-zBi-U4r1XIWJ9qU-KixVWsQ5TJePUejC79yzU,251610
-owasp_depscan-4.3.2.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
-owasp_depscan-4.3.2.dist-info/METADATA,sha256=QyAwaLUFW0NHULO144RSSjn_cHt_fQRX9msF2S2jMKM,22703
-owasp_depscan-4.3.2.dist-info/WHEEL,sha256=yQN5g4mg4AybRjkgi-9yy4iQEFibGQmlz78Pik5Or-A,92
-owasp_depscan-4.3.2.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-4.3.2.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-4.3.2.dist-info/RECORD,,
+owasp_depscan-4.3.3.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-4.3.3.dist-info/METADATA,sha256=1nnv29ztpBKkoIzSrbDy_XKR3kEGPYqgDuIM_64P16w,23495
+owasp_depscan-4.3.3.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+owasp_depscan-4.3.3.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
+owasp_depscan-4.3.3.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-4.3.3.dist-info/RECORD,,

{owasp_depscan-4.3.2.dist-info → owasp_depscan-4.3.3.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.41.2)
+Generator: bdist_wheel (0.41.3)
 Root-Is-Purelib: true
 Tag: py3-none-any