owasp-depscan 5.0.3__py3-none-any.whl → 5.1.0__py3-none-any.whl

depscan/cli.py

@@ -1115,7 +1115,8 @@ def main():
     # render report into template if wished
     if args.report_template and os.path.isfile(args.report_template):
         utils.render_template_report(
-            jsonl_report_file=report_file,
+            vdr_file=vdr_file,
+            bom_file=bom_file,
             summary=summary,
             template_file=args.report_template,
             result_file=os.path.join(reports_dir, args.report_name),

depscan/lib/normalize.py

@@ -155,10 +155,12 @@ def create_pkg_variations(pkg_dict):
         for suffix in COMMON_SUFFIXES:
             if name.endswith(suffix):
                 name_aliases.add(name.replace(suffix, ""))
-        for k, v in config.package_alias.items():
-            if name.startswith(k) or k.startswith(name) or v.startswith(name):
-                name_aliases.add(k)
-                name_aliases.add(v)
+        # The below aliasing is resulting in several false positives for npm
+        if pkg_type not in ("npm",):
+            for k, v in config.package_alias.items():
+                if name.startswith(k) or k.startswith(name) or v.startswith(name):
+                    name_aliases.add(k)
+                    name_aliases.add(v)
     if pkg_type in config.OS_PKG_TYPES:
         if "lib" in name:
             name_aliases.add(name.replace("lib", ""))

depscan/lib/utils.py

@@ -413,22 +413,33 @@ def export_pdf(
 
 
 def render_template_report(
-    jsonl_report_file,
+    vdr_file,
+    bom_file,
     summary,
     template_file,
     result_file,
 ):
     """
-    Render the given json_report_file and summary dict using the template_file with Jinja
+    Render the given vdr_file (falling back to bom_file if no vdr was written)
+    and summary dict using the template_file with Jinja, rendered output is written
+    to named result_file in reports directory.
     """
-    with open(jsonl_report_file, "r", encoding="utf-8") as jsonl_file:
-        json_report = [json.loads(jline) for jline in jsonl_file.readlines()]
+    if vdr_file and os.path.isfile(vdr_file):
+        with open(vdr_file, "r", encoding="utf-8") as f:
+            bom = json.load(f)
+    else:
+        with open(bom_file, "r", encoding="utf-8") as f:
+            bom = json.load(f)
     with open(template_file, "r", encoding="utf-8") as tmpl_file:
         template = tmpl_file.read()
     jinja_env = Environment(autoescape=False)
     jinja_tmpl = jinja_env.from_string(template)
     report_result = jinja_tmpl.render(
-        vulnerabilities=json_report,
+        metadata=bom.get('metadata', None),
+        vulnerabilities=bom.get('vulnerabilities', None),
+        components=bom.get('components', None),
+        dependencies=bom.get('dependencies', None),
+        services=bom.get('services', None),
         summary=summary,
     )
     with open(result_file, "w", encoding="utf-8") as outfile:

{owasp_depscan-5.0.3.dist-info → owasp_depscan-5.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.0.3
+Version: 5.1.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db >=5.5.5
+Requires-Dist: appthreat-vulnerability-db >=5.5.6
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
@@ -461,11 +461,19 @@ Giving it will pass the vulnerability report into your template for rendering th
 Please find a basic example here:
 
 ```jinja
+{% if metadata -%}
+Report for {{ metadata.component.group }}:{{ metadata.component.name }}:{{ metadata.component.version }}
+{% endif -%}
+
+{% if vulnerabilities -%}
 There were {{ vulnerabilities | length }} issues identified:
 
 {% for vuln in vulnerabilities -%}
-* {{ vuln.id }} - {{ vuln.package }}
-{% endfor %}
+* {{ vuln['bom-ref'] }} - {{ vuln.recommendation }}
+{% endfor -%}
+{% else -%}
+🏆 _No vulnerabilities found_
+{% endif -%}
 
 Severity counts:
 * Low: {{ summary.LOW }}
@@ -475,10 +483,19 @@ Severity counts:
 * Unspecified: {{ summary.UNSPECIFIED }}
 ```
 
-The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+The objects available are taken from the CycloneDX *.vdr.json BOM file generated, just have a look to the file for its full structure:
+
+* `metadata`
+* `vulnerabilities`
+* `components`
+* `dependencies`
+* `services`
+
 `summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
 Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
 
+We appreciate if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
+
 ## Discord support
 
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp_depscan-5.0.3.dist-info → owasp_depscan-5.1.0.dist-info}/RECORD

@@ -1,5 +1,5 @@
 depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/cli.py,sha256=NlcIdADd76Gzr64As_-QjJ0Zbon9d64D1KHxAYlgPlo,40361
+depscan/cli.py,sha256=rKylWBHfAPrNwn1OD5eRA3dADcaVtH1XdFSpTDy5L8w,40380
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 depscan/lib/analysis.py,sha256=GdrQbZRorQcTf4_8lC5C11phbI1iIJUNx9FhqgF4agc,50988
 depscan/lib/audit.py,sha256=6GmHOkhDYY1LCIRd-wUSrSISh6_IFR5PhOopPJIQTeE,1318
@@ -10,9 +10,9 @@ depscan/lib/explainer.py,sha256=yRCEroeNCSj_bUQXqwUkLHV3l7eSJvTYoms9T1CDgGk,9282
 depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
 depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
 depscan/lib/logger.py,sha256=UKsx_sKuSvkoR7Co4WwUzWe56Aidv0cNFQJM7lXU018,1576
-depscan/lib/normalize.py,sha256=Mf8aiXSw9jcshVsb4OyMdRlU41raiCTxXM3VsVwBXZU,10168
+depscan/lib/normalize.py,sha256=HOK6HPgX-wakYuUa6to81Z38atQ1iYXHF-s6nsIrsPU,10298
 depscan/lib/pkg_query.py,sha256=Hlf3LypsL7EF309HevcfhdjAOPDZbN1XRQOmjQpnxlI,20082
-depscan/lib/utils.py,sha256=Qt5dQozjiN7d6-_0j5jFm9fQYviLOMlR0868CpJvdek,14011
+depscan/lib/utils.py,sha256=fAG6eTRqEvmmbPOsMBdgQzaKo4KWAYdijRgn-_MX6t8,14428
 vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vendor/choosealicense.com/_data/fields.yml,sha256=ydNsITXFUuADzGPM-jcUcJnN0r_qSGgH51oV27nX3Qs,819
 vendor/choosealicense.com/_data/meta.yml,sha256=rSNmnx0LE6VA9wnR29Y_P9s-TnADQqbdw2enE4i1mWM,1792
@@ -63,9 +63,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
 vendor/spdx/json/licenses.json,sha256=_Vz_aACEg-giVk08ZBQLqB5Z3AnSWZmdD9I22ID3QNs,275192
-owasp_depscan-5.0.3.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
-owasp_depscan-5.0.3.dist-info/METADATA,sha256=A6tndpGYCot-uPbbd-mTTkE50VSTT7ACFAYvBDSFpmY,24224
-owasp_depscan-5.0.3.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-owasp_depscan-5.0.3.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-5.0.3.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-5.0.3.dist-info/RECORD,,
+owasp_depscan-5.1.0.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-5.1.0.dist-info/METADATA,sha256=Gf3cPNsgde0RurILElnXXVKasNqsXKzgtbpPwtTGeCw,24705
+owasp_depscan-5.1.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+owasp_depscan-5.1.0.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
+owasp_depscan-5.1.0.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-5.1.0.dist-info/RECORD,,