owasp-depscan 5.2.15__py3-none-any.whl → 5.3.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of owasp-depscan might be problematic. Click here for more details.
- depscan/lib/analysis.py +28 -5
- depscan/lib/config.py +1 -0
- depscan/lib/normalize.py +4 -2
- depscan/lib/pkg_query.py +5 -0
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/METADATA +2 -2
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/RECORD +10 -10
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/LICENSE +0 -0
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/WHEEL +0 -0
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/entry_points.txt +0 -0
- {owasp_depscan-5.2.15.dist-info → owasp_depscan-5.3.1.dist-info}/top_level.txt +0 -0
depscan/lib/analysis.py
CHANGED
|
@@ -225,6 +225,24 @@ def pkg_sub_tree(
|
|
|
225
225
|
)
|
|
226
226
|
|
|
227
227
|
|
|
228
|
+
def is_lang_sw_edition(package_issue):
|
|
229
|
+
"""Check if the specified sw_edition belongs to any application package type"""
|
|
230
|
+
if package_issue and package_issue["affected_location"].get("cpe_uri"):
|
|
231
|
+
all_parts = CPE_FULL_REGEX.match(
|
|
232
|
+
package_issue["affected_location"].get("cpe_uri")
|
|
233
|
+
)
|
|
234
|
+
if not all_parts or all_parts.group("sw_edition") in ("*", "-"):
|
|
235
|
+
return True
|
|
236
|
+
if (
|
|
237
|
+
config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
|
|
238
|
+
or all_parts.group("sw_edition")
|
|
239
|
+
in config.LANG_PKG_TYPES.values()
|
|
240
|
+
):
|
|
241
|
+
return True
|
|
242
|
+
return False
|
|
243
|
+
return True
|
|
244
|
+
|
|
245
|
+
|
|
228
246
|
def is_os_target_sw(package_issue):
|
|
229
247
|
"""
|
|
230
248
|
Since we rely on NVD, we filter those target_sw that definitely belong to a language
|
|
@@ -235,9 +253,9 @@ def is_os_target_sw(package_issue):
|
|
|
235
253
|
)
|
|
236
254
|
if (
|
|
237
255
|
all_parts
|
|
238
|
-
and all_parts.group("target_sw")
|
|
256
|
+
and all_parts.group("target_sw") not in ("*", "-")
|
|
239
257
|
and (
|
|
240
|
-
all_parts.group("target_sw")
|
|
258
|
+
config.LANG_PKG_TYPES.get(all_parts.group("target_sw"))
|
|
241
259
|
or all_parts.group("target_sw")
|
|
242
260
|
in config.LANG_PKG_TYPES.values()
|
|
243
261
|
)
|
|
@@ -367,7 +385,7 @@ def prepare_vdr(options: PrepareVdrOptions):
|
|
|
367
385
|
if options.project_type in config.OS_PKG_TYPES:
|
|
368
386
|
if vendor and (
|
|
369
387
|
vendor in config.LANG_PKG_TYPES.values()
|
|
370
|
-
or
|
|
388
|
+
or config.LANG_PKG_TYPES.get(vendor)
|
|
371
389
|
):
|
|
372
390
|
fp_count += 1
|
|
373
391
|
continue
|
|
@@ -382,17 +400,21 @@ def prepare_vdr(options: PrepareVdrOptions):
|
|
|
382
400
|
version_used = purl_obj.get("version")
|
|
383
401
|
package_type = purl_obj.get("type")
|
|
384
402
|
qualifiers = purl_obj.get("qualifiers", {})
|
|
403
|
+
# Filter application CVEs from distros
|
|
404
|
+
if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
|
|
405
|
+
fp_count += 1
|
|
406
|
+
continue
|
|
385
407
|
if package_type in config.OS_PKG_TYPES:
|
|
386
408
|
# Bug #208 - do not report application CVEs
|
|
387
409
|
if vendor and (
|
|
388
410
|
vendor in config.LANG_PKG_TYPES.values()
|
|
389
|
-
or
|
|
411
|
+
or config.LANG_PKG_TYPES.get(vendor)
|
|
390
412
|
):
|
|
391
413
|
fp_count += 1
|
|
392
414
|
continue
|
|
393
415
|
if package_type and (
|
|
394
416
|
package_type in config.LANG_PKG_TYPES.values()
|
|
395
|
-
or
|
|
417
|
+
or config.LANG_PKG_TYPES.get(package_type)
|
|
396
418
|
):
|
|
397
419
|
fp_count += 1
|
|
398
420
|
continue
|
|
@@ -1224,6 +1246,7 @@ def analyse_pkg_risks(
|
|
|
1224
1246
|
if risk_metrics.get("risk_score") and (
|
|
1225
1247
|
risk_metrics.get("risk_score") > config.pkg_max_risk_score
|
|
1226
1248
|
or risk_metrics.get("pkg_private_on_public_registry_risk")
|
|
1249
|
+
or risk_metrics.get("pkg_deprecated_risk")
|
|
1227
1250
|
):
|
|
1228
1251
|
risk_score = f"""{round(risk_metrics.get("risk_score"), 2)}"""
|
|
1229
1252
|
data = [
|
depscan/lib/config.py
CHANGED
|
@@ -156,6 +156,7 @@ package_alias = {
|
|
|
156
156
|
"Microsoft.IdentityModel.Clients.ActiveDirectory": "active_directory_authentication_library",
|
|
157
157
|
"starkbank_ecdsa": "ecdsa-elixir",
|
|
158
158
|
"php-pear": "pear-core-minimal",
|
|
159
|
+
"Selenium.WebDriver": "selenium"
|
|
159
160
|
}
|
|
160
161
|
|
|
161
162
|
# Default ignore list
|
depscan/lib/normalize.py
CHANGED
|
@@ -106,7 +106,8 @@ def create_pkg_variations(pkg_dict):
|
|
|
106
106
|
):
|
|
107
107
|
tmpA = vendor.split(".")
|
|
108
108
|
# Automatically add short vendor forms
|
|
109
|
-
|
|
109
|
+
# Increase to 6 to reduce false positives when the package name is core
|
|
110
|
+
if len(tmpA) > 1 and len(tmpA[1]) > 6:
|
|
110
111
|
if tmpA[1] != name:
|
|
111
112
|
vendor_aliases.add(tmpA[1])
|
|
112
113
|
# Add some common vendor aliases
|
|
@@ -208,7 +209,8 @@ def create_pkg_variations(pkg_dict):
|
|
|
208
209
|
else:
|
|
209
210
|
# Filter vendor aliases that are also name aliases for non pypi packages
|
|
210
211
|
# This is needed for numpy which has the vendor name numpy
|
|
211
|
-
|
|
212
|
+
# Also needed for nuget. Eg: selenium:selenium
|
|
213
|
+
if not purl.startswith("pkg:pypi") and not purl.startswith("pkg:nuget"):
|
|
212
214
|
vendor_aliases = [
|
|
213
215
|
x for x in vendor_aliases if x not in name_aliases or x == vendor
|
|
214
216
|
]
|
depscan/lib/pkg_query.py
CHANGED
|
@@ -319,6 +319,11 @@ def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
|
|
|
319
319
|
versions_dict = pkg_metadata.get("releases", {})
|
|
320
320
|
versions = [ver[0] for k, ver in versions_dict.items() if ver]
|
|
321
321
|
is_deprecated = info.get("yanked") and info.get("yanked_reason")
|
|
322
|
+
# Some packages like pypi:azure only mention deprecated in the description
|
|
323
|
+
# without yanking the package
|
|
324
|
+
pkg_description = info.get("description", "").lower()
|
|
325
|
+
if not is_deprecated and ("is deprecated" in pkg_description or "no longer maintained" in pkg_description):
|
|
326
|
+
is_deprecated = True
|
|
322
327
|
latest_deprecated = False
|
|
323
328
|
first_version = None
|
|
324
329
|
latest_version = None
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: owasp-depscan
|
|
3
|
-
Version: 5.
|
|
3
|
+
Version: 5.3.1
|
|
4
4
|
Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
|
|
5
5
|
Author-email: Team AppThreat <cloud@appthreat.com>
|
|
6
6
|
License: MIT
|
|
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
|
|
|
20
20
|
Requires-Python: >=3.8
|
|
21
21
|
Description-Content-Type: text/markdown
|
|
22
22
|
License-File: LICENSE
|
|
23
|
-
Requires-Dist: appthreat-vulnerability-db ==5.6.
|
|
23
|
+
Requires-Dist: appthreat-vulnerability-db ==5.6.7
|
|
24
24
|
Requires-Dist: defusedxml
|
|
25
25
|
Requires-Dist: oras ~=0.1.26
|
|
26
26
|
Requires-Dist: PyYAML
|
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
2
2
|
depscan/cli.py,sha256=fS9CoM1mWNqavUqfGA40LMf_-9OQMzFIYvIle3O2TrA,38835
|
|
3
3
|
depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
4
|
-
depscan/lib/analysis.py,sha256=
|
|
4
|
+
depscan/lib/analysis.py,sha256=Zlm_BhmassmosM0yYazXUXNflhSgsrVvNTQtAoVIChU,59180
|
|
5
5
|
depscan/lib/audit.py,sha256=wpmIowFLaoFs0agZN3FUFxPumty5Gr6YRfcjXGsuNcI,1497
|
|
6
6
|
depscan/lib/bom.py,sha256=AdwzWpgnxaq2CKngfiSC-6dKJMnSv0ZD0h6jj4vxW1w,16718
|
|
7
|
-
depscan/lib/config.py,sha256=
|
|
7
|
+
depscan/lib/config.py,sha256=wYYQrpc7IR8uVVjTtcWOpxuszoC0Yq2m_H4JVibMF68,14577
|
|
8
8
|
depscan/lib/csaf.py,sha256=j9J5E_22nm--MOKy-g-agVnqtlkD84K93AyzOxIh-Rs,81781
|
|
9
9
|
depscan/lib/explainer.py,sha256=gSBNMxwyr1s_2v0GY-k3Ds5B92LMeCrqJF5P9nsW934,9966
|
|
10
10
|
depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
|
|
11
11
|
depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
|
|
12
12
|
depscan/lib/logger.py,sha256=TZkxVN2a5g2g0nOlrIodJWaDhTFT6JLtR1vR4fPSMgs,1605
|
|
13
|
-
depscan/lib/normalize.py,sha256=
|
|
13
|
+
depscan/lib/normalize.py,sha256=YyUUIbdZlSHzODW1c7daGOYuuR2lggiv_DlVOZWz7nI,12619
|
|
14
14
|
depscan/lib/orasclient.py,sha256=l8Diieh0I2thTova4ozUkMblgyhRsttAkarnkRemsn0,4960
|
|
15
|
-
depscan/lib/pkg_query.py,sha256=
|
|
15
|
+
depscan/lib/pkg_query.py,sha256=6_bsKSRA2kY5_2HAWV4izEm4qm97fxQeBojkRjX_bVk,20394
|
|
16
16
|
depscan/lib/utils.py,sha256=saC5-ySoyZSgJzATi8gIJtMm3mE57Z1ZuQFV4gG_KN4,14763
|
|
17
17
|
vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
18
18
|
vendor/choosealicense.com/_data/fields.yml,sha256=ydNsITXFUuADzGPM-jcUcJnN0r_qSGgH51oV27nX3Qs,819
|
|
@@ -64,9 +64,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
|
|
|
64
64
|
vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
|
|
65
65
|
vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
|
|
66
66
|
vendor/spdx/json/licenses.json,sha256=_Vz_aACEg-giVk08ZBQLqB5Z3AnSWZmdD9I22ID3QNs,275192
|
|
67
|
-
owasp_depscan-5.
|
|
68
|
-
owasp_depscan-5.
|
|
69
|
-
owasp_depscan-5.
|
|
70
|
-
owasp_depscan-5.
|
|
71
|
-
owasp_depscan-5.
|
|
72
|
-
owasp_depscan-5.
|
|
67
|
+
owasp_depscan-5.3.1.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
|
|
68
|
+
owasp_depscan-5.3.1.dist-info/METADATA,sha256=ZhH0ayPF_KnHB_jRhEPCA35EekpSp3VdV-Um209XdPc,28091
|
|
69
|
+
owasp_depscan-5.3.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
|
|
70
|
+
owasp_depscan-5.3.1.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
|
|
71
|
+
owasp_depscan-5.3.1.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
|
|
72
|
+
owasp_depscan-5.3.1.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|