PyPI - owasp-depscan - Versions diffs - 5.0.3__tar.gz → 5.1.0__tar.gz - Mend

owasp-depscan 5.0.3tar.gz → 5.1.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

{owasp-depscan-5.0.3/owasp_depscan.egg-info → owasp-depscan-5.1.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.0.3
+Version: 5.1.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db>=5.5.5
+Requires-Dist: appthreat-vulnerability-db>=5.5.6
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
@@ -461,11 +461,19 @@ Giving it will pass the vulnerability report into your template for rendering th
 Please find a basic example here:
 ```jinja
+{% if metadata -%}
+Report for {{ metadata.component.group }}:{{ metadata.component.name }}:{{ metadata.component.version }}
+{% endif -%}
+{% if vulnerabilities -%}
 There were {{ vulnerabilities | length }} issues identified:
 {% for vuln in vulnerabilities -%}
-* {{ vuln.id }} - {{ vuln.package }}
-{% endfor %}
+* {{ vuln['bom-ref'] }} - {{ vuln.recommendation }}
+{% endfor -%}
+{% else -%}
+🏆 _No vulnerabilities found_
+{% endif -%}
 Severity counts:
 * Low: {{ summary.LOW }}
@@ -475,10 +483,19 @@ Severity counts:
 * Unspecified: {{ summary.UNSPECIFIED }}
 ```
-The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+The objects available are taken from the CycloneDX *.vdr.json BOM file generated, just have a look to the file for its full structure:
+* `metadata`
+* `vulnerabilities`
+* `components`
+* `dependencies`
+* `services`
 `summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
 Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
+We appreciate if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
 ## Discord support
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/README.md RENAMED Viewed

@@ -422,11 +422,19 @@ Giving it will pass the vulnerability report into your template for rendering th
 Please find a basic example here:
 ```jinja
+{% if metadata -%}
+Report for {{ metadata.component.group }}:{{ metadata.component.name }}:{{ metadata.component.version }}
+{% endif -%}
+{% if vulnerabilities -%}
 There were {{ vulnerabilities | length }} issues identified:
 {% for vuln in vulnerabilities -%}
-* {{ vuln.id }} - {{ vuln.package }}
-{% endfor %}
+* {{ vuln['bom-ref'] }} - {{ vuln.recommendation }}
+{% endfor -%}
+{% else -%}
+🏆 _No vulnerabilities found_
+{% endif -%}
 Severity counts:
 * Low: {{ summary.LOW }}
@@ -436,10 +444,19 @@ Severity counts:
 * Unspecified: {{ summary.UNSPECIFIED }}
 ```
-The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+The objects available are taken from the CycloneDX *.vdr.json BOM file generated, just have a look to the file for its full structure:
+* `metadata`
+* `vulnerabilities`
+* `components`
+* `dependencies`
+* `services`
 `summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
 Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
+We appreciate if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
 ## Discord support
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/depscan/cli.py RENAMED Viewed

@@ -1115,7 +1115,8 @@ def main():
     # render report into template if wished
     if args.report_template and os.path.isfile(args.report_template):
         utils.render_template_report(
-            jsonl_report_file=report_file,
+            vdr_file=vdr_file,
+            bom_file=bom_file,
             summary=summary,
             template_file=args.report_template,
             result_file=os.path.join(reports_dir, args.report_name),

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/depscan/lib/normalize.py RENAMED Viewed

@@ -155,10 +155,12 @@ def create_pkg_variations(pkg_dict):
         for suffix in COMMON_SUFFIXES:
             if name.endswith(suffix):
                 name_aliases.add(name.replace(suffix, ""))
-        for k, v in config.package_alias.items():
-            if name.startswith(k) or k.startswith(name) or v.startswith(name):
-                name_aliases.add(k)
-                name_aliases.add(v)
+        # The below aliasing is resulting in several false positives for npm
+        if pkg_type not in ("npm",):
+            for k, v in config.package_alias.items():
+                if name.startswith(k) or k.startswith(name) or v.startswith(name):
+                    name_aliases.add(k)
+                    name_aliases.add(v)
     if pkg_type in config.OS_PKG_TYPES:
         if "lib" in name:
             name_aliases.add(name.replace("lib", ""))

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/depscan/lib/utils.py RENAMED Viewed

@@ -413,22 +413,33 @@ def export_pdf(
 def render_template_report(
-    jsonl_report_file,
+    vdr_file,
+    bom_file,
     summary,
     template_file,
     result_file,
 ):
     """
-    Render the given json_report_file and summary dict using the template_file with Jinja
+    Render the given vdr_file (falling back to bom_file if no vdr was written)
+    and summary dict using the template_file with Jinja, rendered output is written
+    to named result_file in reports directory.
     """
-    with open(jsonl_report_file, "r", encoding="utf-8") as jsonl_file:
-        json_report = [json.loads(jline) for jline in jsonl_file.readlines()]
+    if vdr_file and os.path.isfile(vdr_file):
+        with open(vdr_file, "r", encoding="utf-8") as f:
+            bom = json.load(f)
+    else:
+        with open(bom_file, "r", encoding="utf-8") as f:
+            bom = json.load(f)
     with open(template_file, "r", encoding="utf-8") as tmpl_file:
         template = tmpl_file.read()
     jinja_env = Environment(autoescape=False)
     jinja_tmpl = jinja_env.from_string(template)
     report_result = jinja_tmpl.render(
-        vulnerabilities=json_report,
+        metadata=bom.get('metadata', None),
+        vulnerabilities=bom.get('vulnerabilities', None),
+        components=bom.get('components', None),
+        dependencies=bom.get('dependencies', None),
+        services=bom.get('services', None),
         summary=summary,
     )
     with open(result_file, "w", encoding="utf-8") as outfile:

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0/owasp_depscan.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.0.3
+Version: 5.1.0
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db>=5.5.5
+Requires-Dist: appthreat-vulnerability-db>=5.5.6
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
@@ -461,11 +461,19 @@ Giving it will pass the vulnerability report into your template for rendering th
 Please find a basic example here:
 ```jinja
+{% if metadata -%}
+Report for {{ metadata.component.group }}:{{ metadata.component.name }}:{{ metadata.component.version }}
+{% endif -%}
+{% if vulnerabilities -%}
 There were {{ vulnerabilities | length }} issues identified:
 {% for vuln in vulnerabilities -%}
-* {{ vuln.id }} - {{ vuln.package }}
-{% endfor %}
+* {{ vuln['bom-ref'] }} - {{ vuln.recommendation }}
+{% endfor -%}
+{% else -%}
+🏆 _No vulnerabilities found_
+{% endif -%}
 Severity counts:
 * Low: {{ summary.LOW }}
@@ -475,10 +483,19 @@ Severity counts:
 * Unspecified: {{ summary.UNSPECIFIED }}
 ```
-The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+The objects available are taken from the CycloneDX *.vdr.json BOM file generated, just have a look to the file for its full structure:
+* `metadata`
+* `vulnerabilities`
+* `components`
+* `dependencies`
+* `services`
 `summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
 Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
+We appreciate if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
 ## Discord support
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/owasp_depscan.egg-info/requires.txt RENAMED Viewed

@@ -1,4 +1,4 @@
-appthreat-vulnerability-db>=5.5.5
+appthreat-vulnerability-db>=5.5.6
 defusedxml
 oras
 PyYAML

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/pyproject.toml RENAMED Viewed

@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "5.0.3"
+version = "5.1.0"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db>=5.5.5",
+    "appthreat-vulnerability-db>=5.5.6",
     "defusedxml",
     "oras",
     "PyYAML",

{owasp-depscan-5.0.3 → owasp-depscan-5.1.0}/test/test_utils.py RENAMED Viewed

@@ -87,12 +87,17 @@ def test_is_exe():
     if os.path.exists("/bin/ls"):
         assert utils.is_exe("/bin/ls")
-def test_template_report():
+def test_template_report_from_vdr():
     utils.render_template_report(
-        jsonl_report_file=os.path.join(
+        vdr_file=os.path.join(
             os.path.dirname(os.path.realpath(__file__)),
             "data",
-            "depscan-java.json",
+            "jinja-report.vdr.json",
+        ),
+        bom_file=os.path.join(
+            os.path.dirname(os.path.realpath(__file__)),
+            "data",
+            "jinja-report.bom.json",
         ),
         summary={
             "UNSPECIFIED": 0,
@@ -112,22 +117,45 @@ def test_template_report():
         rendered_report = report_file.read()
     assert rendered_report == """\
-there are 13 vulns in here:
-* CVE-2018-5968 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2018-12022 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2018-12023 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2019-17267 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2020-9547 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2020-10673 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2020-9548 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2019-14892 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2020-8840 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2019-20330 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2019-10172 - org.codehaus.jackson:jackson-mapper-asl
-* CVE-2019-17531 - com.fasterxml.jackson.core:jackson-databind
-* CVE-2019-16943 - com.fasterxml.jackson.core:jackson-databind
-That's 3 of low severity,
-5 medium, 2 high,
-1 critical and 0 unspecified ones."""
+Report for io.github.heubeck:examiner:1.11.26
+Component count: 228
+* BIT-apisix-2023-44487/pkg:maven/io.netty/netty-codec-http2@4.1.94.Final?type=jar - Update to 4.1.100.Final or later
+* CVE-2023-4043/pkg:maven/org.eclipse.parsson/parsson@1.1.2?type=jar - Update to 1.1.4 or later
+"""
+    os.remove("rendered.report")
+def test_template_report_from_bom():
+    utils.render_template_report(
+        vdr_file=os.path.join(
+            os.path.dirname(os.path.realpath(__file__)),
+            "data",
+            "no-vdr-here",
+        ),
+        bom_file=os.path.join(
+            os.path.dirname(os.path.realpath(__file__)),
+            "data",
+            "jinja-report.bom.json",
+        ),
+        summary={
+            "UNSPECIFIED": 0,
+            "LOW": 0,
+            "MEDIUM": 0,
+            "HIGH": 0,
+            "CRITICAL": 0,
+        },
+        template_file=os.path.join(
+            os.path.dirname(os.path.realpath(__file__)),
+            "data",
+            "report-template.j2",
+        ),
+        result_file="rendered.report"
+    )
+    with open("rendered.report", "r", encoding="utf-8") as report_file:
+        rendered_report = report_file.read()
+    assert rendered_report == """\
+Report for io.github.heubeck:examiner:1.11.27
+Component count: 230
+🏆 No vulnerabilities found 🎉
+"""
     os.remove("rendered.report")