owasp-depscan 5.3.0__tar.gz → 5.3.2__tar.gz

{owasp-depscan-5.3.0/owasp_depscan.egg-info → owasp-depscan-5.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.3.0
+Version: 5.3.2
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db==5.6.6
+Requires-Dist: appthreat-vulnerability-db==5.6.7
 Requires-Dist: defusedxml
 Requires-Dist: oras~=0.1.26
 Requires-Dist: PyYAML

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/cli.py

@@ -133,6 +133,12 @@ def build_args():
         dest="risk_audit",
         help="Perform package risk audit (slow operation). Npm only.",
     )
+    parser.add_argument(
+        "--cdxgen-args",
+        default=os.getenv("CDXGEN_ARGS"),
+        dest="cdxgen_args",
+        help="Additional arguments to pass to cdxgen"
+    )
     parser.add_argument(
         "--private-ns",
         dest="private_ns",
@@ -864,7 +870,7 @@ def main():
                 bom_file,
                 src_dir,
                 args.deep_scan,
-                {"cdxgen_server": args.cdxgen_server, "profile": args.profile},
+                {"cdxgen_server": args.cdxgen_server, "profile": args.profile, "cdxgen_args": args.cdxgen_args},
             )
         if not creation_status:
             LOG.debug("Bom file %s was not created successfully", bom_file)

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/lib/analysis.py

@@ -225,6 +225,24 @@ def pkg_sub_tree(
     )
 
 
+def is_lang_sw_edition(package_issue):
+    """Check if the specified sw_edition belongs to any application package type"""
+    if package_issue and package_issue["affected_location"].get("cpe_uri"):
+        all_parts = CPE_FULL_REGEX.match(
+            package_issue["affected_location"].get("cpe_uri")
+        )
+        if not all_parts or all_parts.group("sw_edition") in ("*", "-"):
+            return True
+        if (
+            config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
+            or all_parts.group("sw_edition")
+            in config.LANG_PKG_TYPES.values()
+        ):
+            return True
+        return False
+    return True
+
+
 def is_os_target_sw(package_issue):
     """
     Since we rely on NVD, we filter those target_sw that definitely belong to a language
@@ -235,9 +253,9 @@ def is_os_target_sw(package_issue):
         )
         if (
             all_parts
-            and all_parts.group("target_sw") != "*"
+            and all_parts.group("target_sw") not in ("*", "-")
             and (
-                all_parts.group("target_sw") in config.LANG_PKG_TYPES.keys()
+                config.LANG_PKG_TYPES.get(all_parts.group("target_sw"))
                 or all_parts.group("target_sw")
                 in config.LANG_PKG_TYPES.values()
             )
@@ -367,7 +385,7 @@ def prepare_vdr(options: PrepareVdrOptions):
             if options.project_type in config.OS_PKG_TYPES:
                 if vendor and (
                     vendor in config.LANG_PKG_TYPES.values()
-                    or vendor in config.LANG_PKG_TYPES.keys()
+                    or config.LANG_PKG_TYPES.get(vendor)
                 ):
                     fp_count += 1
                     continue
@@ -382,17 +400,21 @@ def prepare_vdr(options: PrepareVdrOptions):
                 version_used = purl_obj.get("version")
                 package_type = purl_obj.get("type")
                 qualifiers = purl_obj.get("qualifiers", {})
+                # Filter application CVEs from distros
+                if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
+                    fp_count += 1
+                    continue
                 if package_type in config.OS_PKG_TYPES:
                     # Bug #208 - do not report application CVEs
                     if vendor and (
                         vendor in config.LANG_PKG_TYPES.values()
-                        or vendor in config.LANG_PKG_TYPES.keys()
+                        or config.LANG_PKG_TYPES.get(vendor)
                     ):
                         fp_count += 1
                         continue
                     if package_type and (
                         package_type in config.LANG_PKG_TYPES.values()
-                        or package_type in config.LANG_PKG_TYPES.keys()
+                        or config.LANG_PKG_TYPES.get(package_type)
                     ):
                         fp_count += 1
                         continue

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/lib/bom.py

@@ -1,5 +1,6 @@
 import json
 import os
+import shlex
 import shutil
 import subprocess
 import sys
@@ -390,6 +391,8 @@ def create_bom(project_type, bom_file, src_dir=".", deep=False, options={}):
         args.append(options.get("profile"))
         if options.get("profile") != "generic":
             LOG.debug("BOM Profile: %s", options.get("profile"))
+    if options.get("cdxgen_args"):
+        args += shlex.split(options.get("cdxgen_args"))
     # Bug #233 - Source directory could be None when working with url
     if src_dir:
         args.append(src_dir)

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/lib/config.py

@@ -156,6 +156,7 @@ package_alias = {
     "Microsoft.IdentityModel.Clients.ActiveDirectory": "active_directory_authentication_library",
     "starkbank_ecdsa": "ecdsa-elixir",
     "php-pear": "pear-core-minimal",
+    "Selenium.WebDriver": "selenium"
 }
 
 # Default ignore list

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/lib/normalize.py

@@ -106,7 +106,8 @@ def create_pkg_variations(pkg_dict):
         ):
             tmpA = vendor.split(".")
             # Automatically add short vendor forms
-            if len(tmpA) > 1 and len(tmpA[1]) > 3:
+            # Increase to 6 to reduce false positives when the package name is core
+            if len(tmpA) > 1 and len(tmpA[1]) > 6:
                 if tmpA[1] != name:
                     vendor_aliases.add(tmpA[1])
     # Add some common vendor aliases
@@ -208,7 +209,8 @@ def create_pkg_variations(pkg_dict):
     else:
         # Filter vendor aliases that are also name aliases for non pypi packages
         # This is needed for numpy which has the vendor name numpy
-        if not purl.startswith("pkg:pypi"):
+        # Also needed for nuget. Eg: selenium:selenium
+        if not purl.startswith("pkg:pypi") and not purl.startswith("pkg:nuget"):
             vendor_aliases = [
                 x for x in vendor_aliases if x not in name_aliases or x == vendor
             ]

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/depscan/lib/utils.py

@@ -232,23 +232,21 @@ def search_pkgs(db, project_type, pkg_list):
         vendor, name = get_pkg_vendor_name(pkg)
         version = pkg.get("version")
         if pkg.get("purl"):
+            ppurl = pkg.get("purl")
             purl_aliases[pkg.get("purl")] = pkg.get("purl")
-            purl_aliases[
-                f"{vendor.lower()}:{name.lower()}:{version}"
-            ] = pkg.get("purl")
+            purl_aliases[f"{vendor.lower()}:{name.lower()}:{version}"] = ppurl
+            if ppurl.startswith("pkg:npm"):
+                purl_aliases[f"npm:{vendor.lower()}/{name.lower()}:{version}"] = ppurl
             if not purl_aliases.get(f"{vendor.lower()}:{name.lower()}"):
-                purl_aliases[f"{vendor.lower()}:{name.lower()}"] = pkg.get(
-                    "purl"
-                )
+                purl_aliases[f"{vendor.lower()}:{name.lower()}"] = ppurl
         if variations:
             for vari in variations:
                 vari_full_pkg = f"""{vari.get("vendor")}:{vari.get("name")}"""
                 pkg_aliases[
                     f"{vendor.lower()}:{name.lower()}:{version}"
                 ].append(vari_full_pkg)
-                purl_aliases[f"{vari_full_pkg.lower()}:{version}"] = pkg.get(
-                    "purl"
-                )
+                if pkg.get("purl"):
+                    purl_aliases[f"{vari_full_pkg.lower()}:{version}"] = pkg.get("purl")
     quick_res = db_lib.bulk_index_search(expanded_list)
     raw_results = db_lib.pkg_bulk_search(db, quick_res)
     raw_results = normalize.dedup(project_type, raw_results)

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2/owasp_depscan.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.3.0
+Version: 5.3.2
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db==5.6.6
+Requires-Dist: appthreat-vulnerability-db==5.6.7
 Requires-Dist: defusedxml
 Requires-Dist: oras~=0.1.26
 Requires-Dist: PyYAML

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/owasp_depscan.egg-info/requires.txt

@@ -1,4 +1,4 @@
-appthreat-vulnerability-db==5.6.6
+appthreat-vulnerability-db==5.6.7
 defusedxml
 oras~=0.1.26
 PyYAML

{owasp-depscan-5.3.0 → owasp-depscan-5.3.2}/pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "5.3.0"
+version = "5.3.2"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db==5.6.6",
+    "appthreat-vulnerability-db==5.6.7",
     "defusedxml",
     "oras~=0.1.26",
     "PyYAML",