owasp-depscan 5.1.8__py3-none-any.whl → 5.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. depscan/cli.py +13 -2
  2. depscan/lib/explainer.py +42 -16
  3. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/METADATA +1 -1
  4. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/RECORD +8 -8
  5. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/LICENSE +0 -0
  6. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/WHEEL +0 -0
  7. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/entry_points.txt +0 -0
  8. {owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/top_level.txt +0 -0
depscan/cli.py CHANGED
@@ -727,7 +727,14 @@ def main():
727
727
  """
728
728
  args = build_args()
729
729
  # declare variables that get initialized only conditionally
730
- summary, vdr_file, bom_file, pkg_list, pkg_vulnerabilities, pkg_group_rows = None, None, None, None, None, None
730
+ (
731
+ summary,
732
+ vdr_file,
733
+ bom_file,
734
+ pkg_list,
735
+ pkg_vulnerabilities,
736
+ pkg_group_rows,
737
+ ) = (None, None, None, None, None, None)
731
738
  # Should we turn on the debug mode
732
739
  if args.enable_debug:
733
740
  os.environ["AT_DEBUG_MODE"] = "debug"
@@ -738,7 +745,11 @@ def main():
738
745
  print(LOGO)
739
746
  src_dir = args.src_dir_image
740
747
  if not src_dir or src_dir == ".":
741
- src_dir = os.getcwd()
748
+ if src_dir == ".":
749
+ src_dir = os.getcwd()
750
+ # Try to infer from the bom file
751
+ elif args.bom and os.path.exists(args.bom):
752
+ src_dir = os.path.dirname(os.path.realpath(args.bom))
742
753
  reports_dir = args.reports_dir
743
754
  if args.csaf:
744
755
  toml_file_path = os.getenv(
depscan/lib/explainer.py CHANGED
@@ -42,7 +42,7 @@ def explain(
42
42
  if reachables_slices_file:
43
43
  with open(reachables_slices_file, "r", encoding="utf-8") as f:
44
44
  reachables_data = json.load(f)
45
- if reachables_data:
45
+ if reachables_data and reachables_data.get("reachables"):
46
46
  rsection = Markdown(
47
47
  """## Reachable Flows
48
48
 
@@ -50,7 +50,9 @@ Below are some reachable flows identified by depscan. Use the provided tips to i
50
50
  """
51
51
  )
52
52
  console.print(rsection)
53
- explain_reachables(reachables_data, pkg_group_rows, project_type)
53
+ explain_reachables(
54
+ reachables_data, pkg_group_rows, project_type
55
+ )
54
56
 
55
57
 
56
58
  def explain_reachables(reachables, pkg_group_rows, project_type):
@@ -75,7 +77,7 @@ def explain_reachables(reachables, pkg_group_rows, project_type):
75
77
  flow_tree, comment, source_sink_desc, has_check_tag = explain_flows(
76
78
  areach.get("flows"), areach.get("purls"), project_type
77
79
  )
78
- if not source_sink_desc:
80
+ if not source_sink_desc or not flow_tree:
79
81
  continue
80
82
  rtable = Table(
81
83
  box=box.DOUBLE_EDGE,
@@ -111,7 +113,7 @@ def explain_reachables(reachables, pkg_group_rows, project_type):
111
113
  console.print(rsection)
112
114
 
113
115
 
114
- def flow_to_source_sink(flow, purls, project_type):
116
+ def flow_to_source_sink(idx, flow, purls, project_type):
115
117
  """ """
116
118
  source_sink_desc = ""
117
119
  param_name = flow.get("name")
@@ -119,15 +121,23 @@ def flow_to_source_sink(flow, purls, project_type):
119
121
  param_str = "Parameter"
120
122
  if param_name == "this":
121
123
  param_name = ""
124
+ parent_file = flow.get("parentFileName", "")
125
+ parent_method = flow.get("parentMethodName", "")
122
126
  # Improve the labels based on the language
123
- if re.search(".(js|ts|jsx|tsx|py|cs)$", flow.get("parentFileName", "")):
127
+ if re.search(".(js|ts|jsx|tsx|py|cs|php)$", parent_file):
124
128
  method_str = "function"
125
129
  param_str = "argument"
130
+ if parent_method in ("handleRequest",):
131
+ method_str = f"handler {method_str}"
132
+ elif parent_method in ("__construct", "__init"):
133
+ method_str = f"constructor"
134
+ elif project_type in ("php",) and parent_method.startswith("__"):
135
+ method_str = f"magic {method_str}"
126
136
  if flow.get("label") == "METHOD_PARAMETER_IN":
127
137
  if param_name:
128
- source_sink_desc = f"""{param_str} [red]{param_name}[/red] :right_arrow_curving_left: to the {method_str} [bold]{flow.get('parentMethodName')}[/bold]"""
138
+ source_sink_desc = f"""{param_str} [red]{param_name}[/red] :right_arrow_curving_left: to the {method_str} [bold]{parent_method}[/bold]"""
129
139
  else:
130
- source_sink_desc = f"""{method_str.capitalize()} [red]{flow.get('parentMethodName')}[/red] :right_arrow_curving_left:"""
140
+ source_sink_desc = f"""{method_str.capitalize()} [red]{parent_method}[/red] :right_arrow_curving_left:"""
131
141
  elif flow.get("label") == "CALL" and flow.get("isExternal"):
132
142
  method_full_name = flow.get("fullName", "")
133
143
  if not method_full_name.startswith("<"):
@@ -148,11 +158,14 @@ def flow_to_source_sink(flow, purls, project_type):
148
158
  ):
149
159
  source_sink_desc = "Flow starts from a callback function"
150
160
  elif (
151
- "middleware" in source_sink_desc.lower() or "route" in source_sink_desc.lower()
161
+ "middleware" in source_sink_desc.lower()
162
+ or "route" in source_sink_desc.lower()
152
163
  ):
153
164
  source_sink_desc = "Flow starts from a middlware"
154
165
  elif len(purls) == 1:
155
- source_sink_desc = f"{source_sink_desc} can be used to reach this package."
166
+ source_sink_desc = (
167
+ f"{source_sink_desc} can be used to reach this package."
168
+ )
156
169
  else:
157
170
  source_sink_desc = (
158
171
  f"{source_sink_desc} can be used to reach {len(purls)} packages."
@@ -165,7 +178,8 @@ def filter_tags(tags):
165
178
  tags = [
166
179
  atag
167
180
  for atag in tags.split(", ")
168
- if atag not in ("RESOLVED_MEMBER", "UNKNOWN_METHOD", "UNKNOWN_TYPE_DECL")
181
+ if atag
182
+ not in ("RESOLVED_MEMBER", "UNKNOWN_METHOD", "UNKNOWN_TYPE_DECL")
169
183
  ]
170
184
  return ", ".join(tags)
171
185
  return tags
@@ -189,12 +203,16 @@ def flow_to_str(flow, project_type):
189
203
  param_name = ""
190
204
  node_desc = f'{flow.get("parentMethodName")}([red]{param_name}[/red]) :right_arrow_curving_left:'
191
205
  if tags:
192
- node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
206
+ node_desc = (
207
+ f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
208
+ )
193
209
  elif flow.get("label") == "IDENTIFIER":
194
210
  if node_desc.startswith("<"):
195
211
  node_desc = flow.get("name")
196
212
  if tags:
197
- node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
213
+ node_desc = (
214
+ f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
215
+ )
198
216
  if tags:
199
217
  for ctag in (
200
218
  "validation",
@@ -209,7 +227,11 @@ def flow_to_str(flow, project_type):
209
227
  break
210
228
  if has_check_tag:
211
229
  node_desc = f"[green]{node_desc}[/green]"
212
- return file_loc, f"""[gray37]{file_loc}[/gray37]{node_desc}""", has_check_tag
230
+ return (
231
+ file_loc,
232
+ f"""[gray37]{file_loc}[/gray37]{node_desc}""",
233
+ has_check_tag,
234
+ )
213
235
 
214
236
 
215
237
  def explain_flows(flows, purls, project_type):
@@ -226,7 +248,7 @@ def explain_flows(flows, purls, project_type):
226
248
  has_check_tag = False
227
249
  last_file_loc = None
228
250
  source_sink_desc = ""
229
- for aflow in flows:
251
+ for idx, aflow in enumerate(flows):
230
252
  # For java, we are only interested in identifiers with tags to keep the flows simple to understand
231
253
  if (
232
254
  project_type in ("java", "jar", "android", "apk")
@@ -235,8 +257,12 @@ def explain_flows(flows, purls, project_type):
235
257
  ):
236
258
  continue
237
259
  if not source_sink_desc:
238
- source_sink_desc = flow_to_source_sink(aflow, purls, project_type)
239
- file_loc, flow_str, has_check_tag_flow = flow_to_str(aflow, project_type)
260
+ source_sink_desc = flow_to_source_sink(
261
+ idx, aflow, purls, project_type
262
+ )
263
+ file_loc, flow_str, has_check_tag_flow = flow_to_str(
264
+ aflow, project_type
265
+ )
240
266
  if last_file_loc == file_loc:
241
267
  continue
242
268
  last_file_loc = file_loc
{owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.1.8
3
+ Version: 5.2.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
{owasp_depscan-5.1.8.dist-info → owasp_depscan-5.2.0.dist-info}/RECORD RENAMED
@@ -1,12 +1,12 @@
1
1
  depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
2
- depscan/cli.py,sha256=K9lG1iQOPqWTrcXoclv4T0Ee6QPgQfJkZIC9bN-bt3c,37477
2
+ depscan/cli.py,sha256=HqKHaclGIUcDAUHfqVU57EWD1_apcSt_VCsj3CSQHBI,37726
3
3
  depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
4
4
  depscan/lib/analysis.py,sha256=fb2dcPERqsmNB4MxWzATJrBP_wJReA-QM6goGvyGtX8,57977
5
5
  depscan/lib/audit.py,sha256=6GmHOkhDYY1LCIRd-wUSrSISh6_IFR5PhOopPJIQTeE,1318
6
6
  depscan/lib/bom.py,sha256=Dkd8AX2ann6FhBeSMvSx86cuq9VEmNPss1Zlziy28aE,16306
7
7
  depscan/lib/config.py,sha256=NJHPzNChbADTBjEFEyiRDGhurK7FAIDrf0Omk1jhpXY,14346
8
8
  depscan/lib/csaf.py,sha256=B9aigxVn7fis_lF15wPfTgieADTcqYE-XDabTt281Ag,81724
9
- depscan/lib/explainer.py,sha256=yRCEroeNCSj_bUQXqwUkLHV3l7eSJvTYoms9T1CDgGk,9282
9
+ depscan/lib/explainer.py,sha256=gSBNMxwyr1s_2v0GY-k3Ds5B92LMeCrqJF5P9nsW934,9966
10
10
  depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
11
11
  depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
12
12
  depscan/lib/logger.py,sha256=TZkxVN2a5g2g0nOlrIodJWaDhTFT6JLtR1vR4fPSMgs,1605
@@ -64,9 +64,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
64
64
  vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
65
65
  vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
66
66
  vendor/spdx/json/licenses.json,sha256=_Vz_aACEg-giVk08ZBQLqB5Z3AnSWZmdD9I22ID3QNs,275192
67
- owasp_depscan-5.1.8.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
68
- owasp_depscan-5.1.8.dist-info/METADATA,sha256=sTw9ek5AN2MRSii_rv484SH1tXplLLVy5V4X7WfPyiQ,27661
69
- owasp_depscan-5.1.8.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
70
- owasp_depscan-5.1.8.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
71
- owasp_depscan-5.1.8.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
72
- owasp_depscan-5.1.8.dist-info/RECORD,,
67
+ owasp_depscan-5.2.0.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
68
+ owasp_depscan-5.2.0.dist-info/METADATA,sha256=FHjLTHGP80qxtTka0p5qjgp1LIuiQGy25RFWlDIgNOY,27661
69
+ owasp_depscan-5.2.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
70
+ owasp_depscan-5.2.0.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
71
+ owasp_depscan-5.2.0.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
72
+ owasp_depscan-5.2.0.dist-info/RECORD,,