owasp-depscan 5.3.0__tar.gz → 5.3.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (87) hide show
  1. {owasp-depscan-5.3.0/owasp_depscan.egg-info → owasp-depscan-5.3.1}/PKG-INFO +2 -2
  2. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/analysis.py +27 -5
  3. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/config.py +1 -0
  4. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/normalize.py +4 -2
  5. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1/owasp_depscan.egg-info}/PKG-INFO +2 -2
  6. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/requires.txt +1 -1
  7. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/pyproject.toml +2 -2
  8. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/LICENSE +0 -0
  9. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/MANIFEST.in +0 -0
  10. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/README.md +0 -0
  11. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/__init__.py +0 -0
  12. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/cli.py +0 -0
  13. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/__init__.py +0 -0
  14. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/audit.py +0 -0
  15. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/bom.py +0 -0
  16. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/csaf.py +0 -0
  17. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/explainer.py +0 -0
  18. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/github.py +0 -0
  19. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/license.py +0 -0
  20. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/logger.py +0 -0
  21. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/orasclient.py +0 -0
  22. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/pkg_query.py +0 -0
  23. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/utils.py +0 -0
  24. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/SOURCES.txt +0 -0
  25. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/dependency_links.txt +0 -0
  26. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/entry_points.txt +0 -0
  27. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/top_level.txt +0 -0
  28. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/setup.cfg +0 -0
  29. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_analysis.py +0 -0
  30. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_bom.py +0 -0
  31. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_csaf.py +0 -0
  32. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_explainer.py +0 -0
  33. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_github.py +0 -0
  34. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_license.py +0 -0
  35. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_norm.py +0 -0
  36. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_pkg_query.py +0 -0
  37. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/test/test_utils.py +0 -0
  38. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/__init__.py +0 -0
  39. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_data/fields.yml +0 -0
  40. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_data/meta.yml +0 -0
  41. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_data/rules.yml +0 -0
  42. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/0bsd.txt +0 -0
  43. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/afl-3.0.txt +0 -0
  44. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/agpl-3.0.txt +0 -0
  45. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/apache-2.0.txt +0 -0
  46. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/artistic-2.0.txt +0 -0
  47. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/bsd-2-clause.txt +0 -0
  48. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt +0 -0
  49. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/bsd-3-clause.txt +0 -0
  50. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/bsd-4-clause.txt +0 -0
  51. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/bsl-1.0.txt +0 -0
  52. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cc-by-4.0.txt +0 -0
  53. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cc-by-sa-4.0.txt +0 -0
  54. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cc0-1.0.txt +0 -0
  55. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cecill-2.1.txt +0 -0
  56. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cern-ohl-p-2.0.txt +0 -0
  57. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cern-ohl-s-2.0.txt +0 -0
  58. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/cern-ohl-w-2.0.txt +0 -0
  59. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/ecl-2.0.txt +0 -0
  60. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/epl-1.0.txt +0 -0
  61. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/epl-2.0.txt +0 -0
  62. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/eupl-1.1.txt +0 -0
  63. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/eupl-1.2.txt +0 -0
  64. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/gfdl-1.3.txt +0 -0
  65. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/gpl-2.0.txt +0 -0
  66. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/gpl-3.0.txt +0 -0
  67. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/isc.txt +0 -0
  68. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/lgpl-2.1.txt +0 -0
  69. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/lgpl-3.0.txt +0 -0
  70. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/lppl-1.3c.txt +0 -0
  71. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/mit-0.txt +0 -0
  72. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/mit.txt +0 -0
  73. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/mpl-2.0.txt +0 -0
  74. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/ms-pl.txt +0 -0
  75. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/ms-rl.txt +0 -0
  76. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/mulanpsl-2.0.txt +0 -0
  77. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/ncsa.txt +0 -0
  78. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/odbl-1.0.txt +0 -0
  79. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/ofl-1.1.txt +0 -0
  80. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/osl-3.0.txt +0 -0
  81. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/postgresql.txt +0 -0
  82. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/unlicense.txt +0 -0
  83. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/upl-1.0.txt +0 -0
  84. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/vim.txt +0 -0
  85. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/wtfpl.txt +0 -0
  86. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/choosealicense.com/_licenses/zlib.txt +0 -0
  87. {owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/vendor/spdx/json/licenses.json +0 -0
{owasp-depscan-5.3.0/owasp_depscan.egg-info → owasp-depscan-5.3.1}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.3.0
3
+ Version: 5.3.1
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.6.6
23
+ Requires-Dist: appthreat-vulnerability-db==5.6.7
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/analysis.py RENAMED
@@ -225,6 +225,24 @@ def pkg_sub_tree(
225
225
  )
226
226
 
227
227
 
228
+ def is_lang_sw_edition(package_issue):
229
+ """Check if the specified sw_edition belongs to any application package type"""
230
+ if package_issue and package_issue["affected_location"].get("cpe_uri"):
231
+ all_parts = CPE_FULL_REGEX.match(
232
+ package_issue["affected_location"].get("cpe_uri")
233
+ )
234
+ if not all_parts or all_parts.group("sw_edition") in ("*", "-"):
235
+ return True
236
+ if (
237
+ config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
238
+ or all_parts.group("sw_edition")
239
+ in config.LANG_PKG_TYPES.values()
240
+ ):
241
+ return True
242
+ return False
243
+ return True
244
+
245
+
228
246
  def is_os_target_sw(package_issue):
229
247
  """
230
248
  Since we rely on NVD, we filter those target_sw that definitely belong to a language
@@ -235,9 +253,9 @@ def is_os_target_sw(package_issue):
235
253
  )
236
254
  if (
237
255
  all_parts
238
- and all_parts.group("target_sw") != "*"
256
+ and all_parts.group("target_sw") not in ("*", "-")
239
257
  and (
240
- all_parts.group("target_sw") in config.LANG_PKG_TYPES.keys()
258
+ config.LANG_PKG_TYPES.get(all_parts.group("target_sw"))
241
259
  or all_parts.group("target_sw")
242
260
  in config.LANG_PKG_TYPES.values()
243
261
  )
@@ -367,7 +385,7 @@ def prepare_vdr(options: PrepareVdrOptions):
367
385
  if options.project_type in config.OS_PKG_TYPES:
368
386
  if vendor and (
369
387
  vendor in config.LANG_PKG_TYPES.values()
370
- or vendor in config.LANG_PKG_TYPES.keys()
388
+ or config.LANG_PKG_TYPES.get(vendor)
371
389
  ):
372
390
  fp_count += 1
373
391
  continue
@@ -382,17 +400,21 @@ def prepare_vdr(options: PrepareVdrOptions):
382
400
  version_used = purl_obj.get("version")
383
401
  package_type = purl_obj.get("type")
384
402
  qualifiers = purl_obj.get("qualifiers", {})
403
+ # Filter application CVEs from distros
404
+ if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
405
+ fp_count += 1
406
+ continue
385
407
  if package_type in config.OS_PKG_TYPES:
386
408
  # Bug #208 - do not report application CVEs
387
409
  if vendor and (
388
410
  vendor in config.LANG_PKG_TYPES.values()
389
- or vendor in config.LANG_PKG_TYPES.keys()
411
+ or config.LANG_PKG_TYPES.get(vendor)
390
412
  ):
391
413
  fp_count += 1
392
414
  continue
393
415
  if package_type and (
394
416
  package_type in config.LANG_PKG_TYPES.values()
395
- or package_type in config.LANG_PKG_TYPES.keys()
417
+ or config.LANG_PKG_TYPES.get(package_type)
396
418
  ):
397
419
  fp_count += 1
398
420
  continue
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/config.py RENAMED
@@ -156,6 +156,7 @@ package_alias = {
156
156
  "Microsoft.IdentityModel.Clients.ActiveDirectory": "active_directory_authentication_library",
157
157
  "starkbank_ecdsa": "ecdsa-elixir",
158
158
  "php-pear": "pear-core-minimal",
159
+ "Selenium.WebDriver": "selenium"
159
160
  }
160
161
 
161
162
  # Default ignore list
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/depscan/lib/normalize.py RENAMED
@@ -106,7 +106,8 @@ def create_pkg_variations(pkg_dict):
106
106
  ):
107
107
  tmpA = vendor.split(".")
108
108
  # Automatically add short vendor forms
109
- if len(tmpA) > 1 and len(tmpA[1]) > 3:
109
+ # Increase to 6 to reduce false positives when the package name is core
110
+ if len(tmpA) > 1 and len(tmpA[1]) > 6:
110
111
  if tmpA[1] != name:
111
112
  vendor_aliases.add(tmpA[1])
112
113
  # Add some common vendor aliases
@@ -208,7 +209,8 @@ def create_pkg_variations(pkg_dict):
208
209
  else:
209
210
  # Filter vendor aliases that are also name aliases for non pypi packages
210
211
  # This is needed for numpy which has the vendor name numpy
211
- if not purl.startswith("pkg:pypi"):
212
+ # Also needed for nuget. Eg: selenium:selenium
213
+ if not purl.startswith("pkg:pypi") and not purl.startswith("pkg:nuget"):
212
214
  vendor_aliases = [
213
215
  x for x in vendor_aliases if x not in name_aliases or x == vendor
214
216
  ]
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1/owasp_depscan.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.3.0
3
+ Version: 5.3.1
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.6.6
23
+ Requires-Dist: appthreat-vulnerability-db==5.6.7
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/owasp_depscan.egg-info/requires.txt RENAMED
@@ -1,4 +1,4 @@
1
- appthreat-vulnerability-db==5.6.6
1
+ appthreat-vulnerability-db==5.6.7
2
2
  defusedxml
3
3
  oras~=0.1.26
4
4
  PyYAML
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/pyproject.toml RENAMED
@@ -1,12 +1,12 @@
1
1
  [project]
2
2
  name = "owasp-depscan"
3
- version = "5.3.0"
3
+ version = "5.3.1"
4
4
  description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
5
5
  authors = [
6
6
  {name = "Team AppThreat", email = "cloud@appthreat.com"},
7
7
  ]
8
8
  dependencies = [
9
- "appthreat-vulnerability-db==5.6.6",
9
+ "appthreat-vulnerability-db==5.6.7",
10
10
  "defusedxml",
11
11
  "oras~=0.1.26",
12
12
  "PyYAML",
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/LICENSE RENAMED
File without changes
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/MANIFEST.in RENAMED
File without changes
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/README.md RENAMED
File without changes
{owasp-depscan-5.3.0 → owasp-depscan-5.3.1}/setup.cfg RENAMED
File without changes