owasp-depscan 5.1.3__py3-none-any.whl → 5.1.5__py3-none-any.whl

depscan/lib/logger.py

@@ -35,7 +35,6 @@ console = Console(
     log_time=False,
     log_path=False,
     theme=custom_theme,
-    width=int(os.getenv("COLUMNS", "270")),
     color_system="256",
     force_terminal=True,
     highlight=True,
@@ -57,11 +56,16 @@ logging.basicConfig(
     ],
 )
 LOG = logging.getLogger(__name__)
-for _ in ("httpx", "oras"):
-    logging.getLogger(_).disabled = True
 
 # Set logging level
-if os.getenv("SCAN_DEBUG_MODE") == "debug" or os.getenv("AT_DEBUG_MODE") == "debug":
+if (
+    os.getenv("SCAN_DEBUG_MODE") == "debug"
+    or os.getenv("AT_DEBUG_MODE") == "debug"
+):
     LOG.setLevel(logging.DEBUG)
 
 DEBUG = logging.DEBUG
+
+for log_name, log_obj in logging.Logger.manager.loggerDict.items():
+    if log_name != __name__:
+        log_obj.disabled = True

depscan/lib/orasclient.py

@@ -0,0 +1,127 @@
+import os
+import shutil
+import subprocess
+import tarfile
+import tempfile
+
+import oras.client
+import oras.provider
+from oras.logger import setup_logger
+from vdb.lib.config import data_dir
+
+from depscan.lib.config import vdb_database_url, vdb_rafs_database_url
+from depscan.lib.logger import LOG
+
+setup_logger(quiet=True, debug=False)
+
+
+class VdbDistributionRegistry(oras.provider.Registry):
+    """
+    We override the default registry to make things compatible with ghcr. Without this, the below error is thrown.
+
+    jsonschema.exceptions.ValidationError: Additional properties are not allowed ('artifactType' was unexpected)
+    """
+
+    def get_manifest(self, container, allowed_media_type=None):
+        """
+        Retrieve a manifest for a package.
+
+        :param container:  parsed container URI
+        :type container: oras.container.Container or str
+        :param allowed_media_type: one or more allowed media types
+        :type allowed_media_type: str
+        """
+        if not allowed_media_type:
+            allowed_media_type = [oras.defaults.default_manifest_media_type]
+        headers = {"Accept": ";".join(allowed_media_type)}
+
+        get_manifest = f"{self.prefix}://{container.manifest_url()}"  # type: ignore
+        response = self.do_request(get_manifest, "GET", headers=headers)
+        self._check_200_response(response)
+        manifest = response.json()
+        return manifest
+
+
+def download_rafs_based_image():
+    rafs_image_downloaded, paths_list = False, None
+    nydus_image_command = shutil.which("nydus-image", mode=os.X_OK)
+    if nydus_image_command is not None:
+        LOG.info(
+            "About to download the vulnerability database from %s. This might take a while ...",
+            vdb_rafs_database_url,
+        )
+
+        try:
+            oras_client = oras.client.OrasClient(
+                registry=VdbDistributionRegistry()
+            )
+            rafs_data_dir = tempfile.TemporaryDirectory()
+            paths_list = oras_client.pull(
+                target=vdb_rafs_database_url,
+                outdir=rafs_data_dir.name,
+                allowed_media_type=[],
+                overwrite=True,
+            )
+
+            if (
+                paths_list
+                and os.path.exists(
+                    os.path.join(rafs_data_dir.name, "data.rafs")
+                )
+                and os.path.exists(
+                    os.path.join(rafs_data_dir.name, "meta.rafs")
+                )
+            ):
+                nydus_download_command = [
+                    f"{nydus_image_command}",
+                    "unpack",
+                    "--blob",
+                    os.path.join(rafs_data_dir.name, "data.rafs"),
+                    "--output",
+                    os.path.join(data_dir, "vdb.tar"),
+                    "--bootstrap",
+                    os.path.join(rafs_data_dir.name, "meta.rafs"),
+                ]
+                _ = subprocess.run(
+                    nydus_download_command,
+                    check=True,
+                    stdout=subprocess.DEVNULL,
+                    stderr=subprocess.DEVNULL,
+                )
+                if os.path.exists(os.path.join(data_dir, "vdb.tar")):
+                    rafs_image_downloaded = True
+                    with tarfile.open(
+                        os.path.join(data_dir, "vdb.tar"), "r"
+                    ) as tar:
+                        tar.extractall(path=data_dir)
+                    os.remove(os.path.join(data_dir, "vdb.tar"))
+                else:
+                    raise FileNotFoundError("vdb.tar not found")
+            else:
+                raise FileNotFoundError("data.rafs or meta.rafs not found")
+
+        except Exception:
+            LOG.info(
+                "Unable to pull the vulnerability database (rafs image) from %s. Trying to pull the non-rafs-based VDB image.",
+                vdb_rafs_database_url,
+            )
+            rafs_image_downloaded = False
+
+    return rafs_image_downloaded, data_dir
+
+
+def download_image():
+    rafs_image_downloaded, paths_list = download_rafs_based_image()
+    if rafs_image_downloaded:
+        return paths_list
+    LOG.info(
+        "About to download the vulnerability database from %s. This might take a while ...",
+        vdb_database_url,
+    )
+    oras_client = oras.client.OrasClient(registry=VdbDistributionRegistry())
+    return oras_client.pull(
+        target=vdb_database_url,
+        outdir=data_dir,
+        allowed_media_type=[],
+        overwrite=True,
+    )

{owasp_depscan-5.1.3.dist-info → owasp_depscan-5.1.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.1.3
+Version: 5.1.5
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db >=5.5.7
+Requires-Dist: appthreat-vulnerability-db >=5.5.8
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
@@ -30,6 +30,8 @@ Requires-Dist: PyGithub
 Requires-Dist: toml
 Requires-Dist: pdfkit
 Requires-Dist: Jinja2
+Requires-Dist: packageurl-python
+Requires-Dist: cvss
 Provides-Extra: dev
 Requires-Dist: black ; extra == 'dev'
 Requires-Dist: flake8 ; extra == 'dev'
@@ -46,6 +48,38 @@ OWASP dep-scan is a next-generation security and risk audit tool based on known
 [![release](https://github.com/owasp-dep-scan/dep-scan/actions/workflows/pythonpublish.yml/badge.svg)](https://github.com/owasp-dep-scan/dep-scan/actions/workflows/pythonpublish.yml)
 [![Discord](https://img.shields.io/badge/-Discord-lime?style=for-the-badge&logo=discord&logoColor=white&color=black)](https://discord.gg/pF4BYWEJcS)
 
+## Contents
+
+-   [Features](#features)
+    -   [Vulnerability Data sources](#vulnerability-data-sources)
+    -   [Linux distros](#linux-distros)
+-   [Usage](#usage)
+    -   [OCI Artifacts via ORAS cli](#oci-artifacts-via-oras-cli)
+    -   [Single binary executables](#single-binary-executables)
+    -   [Server mode](#server-mode)
+    -   [Scanning projects locally (Python version)](#scanning-projects-locally-python-version)
+    -   [Scanning containers locally (Python version)](#scanning-containers-locally-python-version)
+    -   [Scanning projects locally (Docker container)](#scanning-projects-locally-docker-container)
+-   [Supported languages and package format](#supported-languages-and-package-format)
+-   [Reachability analysis](#reachability-analysis)
+    -   [Example analysis for a Java project](#example-analysis-for-a-java-project)
+    -   [Example analysis for a JavaScript project](#example-analysis-for-a-javascript-project)
+-   [Customization through environment variables](#customization-through-environment-variables)
+-   [GitHub Security Advisory](#github-security-advisory)
+-   [Suggest mode](#suggest-mode)
+-   [Package Risk audit](#package-risk-audit)
+    -   [Automatic adjustment](#automatic-adjustment)
+    -   [Configuring weights](#configuring-weights)
+-   [Live OS scan](#live-os-scan)
+-   [License scan](#license-scan)
+-   [Kubernetes and Cloud apps](#kubernetes-and-cloud-apps)
+-   [PDF reports](#pdf-reports)
+-   [Custom reports](#custom-reports)
+-   [Performance tuning](#performance-tuning)
+    -   [Use nydus to speed up the initial vdb download](#use-nydus-to-speed-up-the-initial-vdb-download)
+-   [Discord support](#discord-support)
+-   [License](#license)
+
 ## Features
 
 -   Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization
@@ -98,15 +132,18 @@ Use [ORAS cli](https://oras.land/docs/) to download the vulnerability database f
 export VDB_HOME=depscan
 mkdir -p $VDB_HOME
 oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
+# oras pull ghcr.io/appthreat/vdb-10y:v5 -o $VDB_HOME
 oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 ```
 
+Use `vdb-10y` which is a larger database with vulnerability data spanning the last 10 years from 2014. In contrast, vdb with a starting year of 2018 is appropriate for most users.
+
 ### Single binary executables
 
 Download the executable binary for your operating system from the [releases page](https://github.com/owasp-dep-scan/depscan-bin/releases). These binary bundle the following:
 
--   dep-scan with Python 3.10
--   cdxgen with Node.js 18
+-   dep-scan with Python 3.11
+-   cdxgen with Node.js 21
 -   cdxgen binary plugins
 
 ```bash
@@ -355,6 +392,8 @@ depscan --profile research -t js -i <source directory> --reports-dir <reports di
 The following environment variables can be used to customise the behaviour.
 
 -   VDB_HOME - Directory to use for caching database. For docker based execution, this directory should get mounted as a volume from the host
+-   VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdb:v5
+-   USE_VDB_10Y - Set to true to use the larger 10 year vulnerability database. Default download url: ghcr.io/appthreat/vdb-10y:v5
 
 ## GitHub Security Advisory
 

{owasp_depscan-5.1.3.dist-info → owasp_depscan-5.1.5.dist-info}/RECORD

@@ -1,16 +1,17 @@
 depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/cli.py,sha256=2zLfxkcGL_3FbRHRS25rENmu1Ir_WmxZPPCLZ2O21TI,40511
+depscan/cli.py,sha256=-dax3GEQOB2qoVZDi8v85IeP08ZBKbjEbwQWjyXGOWs,37332
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/lib/analysis.py,sha256=GdrQbZRorQcTf4_8lC5C11phbI1iIJUNx9FhqgF4agc,50988
+depscan/lib/analysis.py,sha256=PQveVwiPgxG1-th3lxuyzs-LZNyga0qBy7ZsoyuB1SI,56340
 depscan/lib/audit.py,sha256=6GmHOkhDYY1LCIRd-wUSrSISh6_IFR5PhOopPJIQTeE,1318
 depscan/lib/bom.py,sha256=Dkd8AX2ann6FhBeSMvSx86cuq9VEmNPss1Zlziy28aE,16306
-depscan/lib/config.py,sha256=KQ7ArqTAaqdYgEOA98ipaiRkmuDqwvRGw1AUEeS2Nv4,12778
-depscan/lib/csaf.py,sha256=KzolHW_gkt8ZDn4n8sUlwb1d4G6vdvCu8h5wO4DNnJ4,91834
+depscan/lib/config.py,sha256=fxSXio_VhXAJ0HiYyLwtQn10kAm8t4VjoWg-eFcKiA8,14253
+depscan/lib/csaf.py,sha256=B9aigxVn7fis_lF15wPfTgieADTcqYE-XDabTt281Ag,81724
 depscan/lib/explainer.py,sha256=yRCEroeNCSj_bUQXqwUkLHV3l7eSJvTYoms9T1CDgGk,9282
 depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
 depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
-depscan/lib/logger.py,sha256=UKsx_sKuSvkoR7Co4WwUzWe56Aidv0cNFQJM7lXU018,1576
+depscan/lib/logger.py,sha256=TZkxVN2a5g2g0nOlrIodJWaDhTFT6JLtR1vR4fPSMgs,1605
 depscan/lib/normalize.py,sha256=iZZylivfc15lQo4_yU0d_8CWlOFUnAIa512PSH46yrQ,10643
+depscan/lib/orasclient.py,sha256=MfbQXGf9g4NpfrqeuEy-YMzZA56Hc7TqyGG35hy55Qk,4495
 depscan/lib/pkg_query.py,sha256=Hlf3LypsL7EF309HevcfhdjAOPDZbN1XRQOmjQpnxlI,20082
 depscan/lib/utils.py,sha256=fAG6eTRqEvmmbPOsMBdgQzaKo4KWAYdijRgn-_MX6t8,14428
 vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -63,9 +64,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
 vendor/spdx/json/licenses.json,sha256=_Vz_aACEg-giVk08ZBQLqB5Z3AnSWZmdD9I22ID3QNs,275192
-owasp_depscan-5.1.3.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
-owasp_depscan-5.1.3.dist-info/METADATA,sha256=a4KT7Ij-n0UGgTMDRDZzhMQn2XTBuDGTPsRYWHXjhUc,25287
-owasp_depscan-5.1.3.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-owasp_depscan-5.1.3.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-5.1.3.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-5.1.3.dist-info/RECORD,,
+owasp_depscan-5.1.5.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-5.1.5.dist-info/METADATA,sha256=2VrkxZGayUZUYJq41kBWGabC4IW2QZ0myJmFatNOYdo,27489
+owasp_depscan-5.1.5.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+owasp_depscan-5.1.5.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
+owasp_depscan-5.1.5.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-5.1.5.dist-info/RECORD,,