owasp-depscan 4.3.2__tar.gz → 4.3.3__tar.gz

{owasp-depscan-4.3.2/owasp_depscan.egg-info → owasp-depscan-4.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.3.2
+Version: 4.3.3
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -26,12 +26,14 @@ Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: PyGithub
 Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black; extra == "dev"
 Requires-Dist: flake8; extra == "dev"
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: httpretty; extra == "dev"
 
 # Introduction
 
@@ -174,36 +176,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -213,7 +239,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -343,9 +372,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3}/README.md

@@ -139,36 +139,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -178,7 +202,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -308,9 +335,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3}/depscan/cli.py

@@ -20,6 +20,7 @@ from vdb.lib.utils import parse_purl
 
 import oras.client
 
+from depscan.lib import privado, utils, github
 from depscan.lib.csaf import export_csaf, write_toml
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
@@ -114,6 +115,12 @@ def build_args():
         help="DEPRECATED: Suggest is the default mode for determining fix "
         "version.",
     )
+    parser.add_argument(
+        "--no-suggest",
+        action="store_false",
+        dest="suggest",
+        help="Disable suggest mode",
+    )
     parser.add_argument(
         "--risk-audit",
         action="store_true",
@@ -791,8 +798,20 @@ def main():
             )
 
         sources_list = [OSVSource(), NvdSource()]
-        if os.environ.get("GITHUB_TOKEN"):
-            sources_list.insert(0, GitHubSource())
+        github_token = os.environ.get("GITHUB_TOKEN")
+        if github_token:
+            github_client = github.GitHub(github_token)
+
+            if not github_client.can_authenticate():
+                LOG.error("The GitHub personal access token supplied appears to be invalid or expired. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory")
+            else:
+                sources_list.insert(0, GitHubSource())
+                scopes = github_client.get_token_scopes()
+                if not scopes is None and len(scopes) > 0:
+                    LOG.warning(
+                        "The GitHub personal access token was granted more permissions than is necessary for depscan to operate, including the scopes of: %s. It is recommended to use a dedicated token with only the minimum scope necesary for depscan to operate. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory",
+                        ', '.join([scope for scope in scopes])
+                    )
         if run_cacher:
             LOG.debug(
                 "About to download vdb from %s. This might take a while ...",
@@ -804,6 +823,7 @@ def main():
             )
             LOG.debug("VDB data is stored at: %s", paths_list)
             run_cacher = False
+            db = db_lib.get()
         elif args.sync:
             for s in sources_list:
                 LOG.debug("Syncing %s", s.__class__.__name__)

owasp-depscan-4.3.3/depscan/lib/github.py

@@ -0,0 +1,62 @@
+from github import Github, Auth
+from depscan.lib import config
+import httpx
+
+
+class GitHub:
+    # The GitHub instance object from the PyGithub library
+    github = None
+    github_token = None
+
+
+    def __init__(self, github_token: str) -> None:
+        self.github = Github(auth=Auth.Token(github_token))
+        self.github_token = github_token
+
+
+    def can_authenticate(self) -> bool:
+        """
+        Calls the GitHub API to determine if the token is valid
+
+        :return: Flag indicating whether authentication was successful or not
+        """
+        headers = {"Authorization": f"token {self.github_token}"}
+
+        response = httpx.get(
+            url='https://api.github.com/',
+            headers=headers,
+            follow_redirects=True,
+            timeout=config.request_timeout_sec
+        )
+
+        if response.status_code == 401:
+            return False
+        else:
+            return True
+
+
+    def get_token_scopes(self) -> list:
+        """
+        Provides the scopes associated to the access token provided in the environment variable
+        Only classic personal access tokens will result in scopes returned from the GitHub API
+
+        :return: List of token scopes
+        """
+        headers = {"Authorization": f"token {self.github_token}"}
+
+        response = httpx.get(
+            url='https://api.github.com/',
+            headers=headers,
+            follow_redirects=True,
+            timeout=config.request_timeout_sec
+        )
+
+        oauth_scopes = response.headers.get('x-oauth-scopes')
+
+        if not oauth_scopes is None:
+            if oauth_scopes == '':
+                return None
+            else:
+                return oauth_scopes.split(', ')
+
+        return None

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3/owasp_depscan.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.3.2
+Version: 4.3.3
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -26,12 +26,14 @@ Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: PyGithub
 Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black; extra == "dev"
 Requires-Dist: flake8; extra == "dev"
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: httpretty; extra == "dev"
 
 # Introduction
 
@@ -174,36 +176,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -213,7 +239,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -343,9 +372,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3}/owasp_depscan.egg-info/SOURCES.txt

@@ -10,6 +10,7 @@ depscan/lib/audit.py
 depscan/lib/bom.py
 depscan/lib/config.py
 depscan/lib/csaf.py
+depscan/lib/github.py
 depscan/lib/license.py
 depscan/lib/logger.py
 depscan/lib/normalize.py
@@ -25,6 +26,7 @@ owasp_depscan.egg-info/top_level.txt
 test/test_analysis.py
 test/test_bom.py
 test/test_csaf.py
+test/test_github.py
 test/test_license.py
 test/test_norm.py
 test/test_pkg_query.py

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3}/owasp_depscan.egg-info/requires.txt

@@ -4,6 +4,7 @@ oras
 PyYAML
 rich
 quart
+PyGithub
 toml
 
 [dev]
@@ -11,3 +12,4 @@ black
 flake8
 pytest
 pytest-cov
+httpretty

{owasp-depscan-4.3.2 → owasp-depscan-4.3.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "owasp-depscan"
-version = "4.3.2"
+version = "4.3.3"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
@@ -12,6 +12,7 @@ dependencies = [
     "PyYAML",
     "rich",
     "quart",
+    "PyGithub",
     "toml",
 ]
 
@@ -44,7 +45,8 @@ scan = "depscan.cli:main"
 dev = ["black",
 "flake8",
 "pytest",
-"pytest-cov"
+"pytest-cov",
+"httpretty"
 ]
 
 [build-system]

owasp-depscan-4.3.3/test/test_github.py

@@ -0,0 +1,122 @@
+from depscan.lib import github
+import httpretty
+
+
+url = 'https://api.github.com/'
+
+
+def test_can_authenticate_success():
+    httpretty.enable()
+    httpretty.reset()
+    
+    headers = {
+        'content-type': 'application/json',
+        'X-OAuth-Scopes': 'admin:org, admin:repo_hook, repo, user',
+        'X-Accepted-OAuth-Scopes': 'repo'
+    }
+
+    httpretty.register_uri(
+        method=httpretty.GET,
+        uri=url,
+        adding_headers=headers
+    )
+    
+    github_client = github.GitHub('test-token')
+    result = github_client.can_authenticate()
+
+    httpretty.disable()
+
+    assert result == True
+
+
+def test_can_authenticate_unauthentiated():
+    httpretty.enable()
+    httpretty.reset()
+    
+    headers = {
+        'content-type': 'application/json'
+    }
+
+    httpretty.register_uri(
+        method=httpretty.GET,
+        uri=url,
+        body='{"message":"Bad credentials"}',
+        adding_headers=headers,
+        status=401
+    )
+    
+    github_client = github.GitHub('test-token')
+    result = github_client.can_authenticate()
+
+    httpretty.disable()
+
+    assert result == False
+
+
+def test_get_token_scopes_success():
+    httpretty.enable()
+    httpretty.reset()
+
+    headers = {
+        'content-type': 'application/json',
+        'X-OAuth-Scopes': 'admin:org, admin:repo_hook, repo, user',
+        'X-Accepted-OAuth-Scopes': 'repo'
+    }
+
+    httpretty.register_uri(
+        method=httpretty.GET,
+        uri=url,
+        adding_headers=headers
+    )
+    
+    github_client = github.GitHub('test-token')
+    result = github_client.get_token_scopes()
+
+    httpretty.disable()
+
+    assert len(result) == 4 and result.index('admin:org') >= 0 and result.index('admin:repo_hook') >= 0 and result.index('repo') >= 0 and result.index('user') >= 0
+
+
+def test_get_token_scopes_none():
+    httpretty.enable()
+    httpretty.reset()
+
+    headers = {
+        'content-type': 'application/json',
+    }
+
+    httpretty.register_uri(
+        method=httpretty.GET,
+        uri=url,
+        adding_headers=headers
+    )
+    
+    github_client = github.GitHub('test-token')
+    result = github_client.get_token_scopes()
+
+    httpretty.disable()
+
+    assert result is None
+
+
+def test_get_token_scopes_empty():
+    httpretty.enable()
+    httpretty.reset()
+
+    headers = {
+        'content-type': 'application/json',
+        'x-oauth-scopes': ''
+    }
+
+    httpretty.register_uri(
+        method=httpretty.GET,
+        uri=url,
+        adding_headers=headers
+    )
+    
+    github_client = github.GitHub('test-token')
+    result = github_client.get_token_scopes()
+
+    httpretty.disable()
+
+    assert result is None