owasp-depscan 5.3.5__py3-none-any.whl → 5.4.1__py3-none-any.whl

depscan/cli.py

@@ -80,7 +80,7 @@ def build_args():
         action="store_true",
         default=False,
         dest="no_banner",
-        help="Do not display banner",
+        help="Do not display the logo and donation banner. Please make a donation to OWASP before using this argument.",
     )
     parser.add_argument(
         "--cache",
@@ -137,7 +137,7 @@ def build_args():
         "--cdxgen-args",
         default=os.getenv("CDXGEN_ARGS"),
         dest="cdxgen_args",
-        help="Additional arguments to pass to cdxgen"
+        help="Additional arguments to pass to cdxgen",
     )
     parser.add_argument(
         "--private-ns",
@@ -741,6 +741,7 @@ def main():
     and generates reports based on the results.
     """
     args = build_args()
+    perform_risk_audit = args.risk_audit
     # declare variables that get initialized only conditionally
     (
         summary,
@@ -750,21 +751,19 @@ def main():
         pkg_vulnerabilities,
         pkg_group_rows,
     ) = (None, None, None, None, None, None)
-    if os.getenv("GITHUB_ACTION", "").lower() == "__appthreat_dep-scan-action" \
-        and not os.getenv("INPUT_THANK_YOU", "") == ("I have sponsored "
-                                                 "OWASP-dep-scan."):
+    if (
+        os.getenv("CI")
+        and not args.no_banner
+        and not os.getenv("INPUT_THANK_YOU", "")
+        == ("I have sponsored OWASP-dep-scan.")
+    ):
         console.print(
             Panel(
-                "OWASP relies on donations to fund our projects.\n\n"
-                "Donate at: https://owasp.org/donate/?reponame=www-project"
-                "-dep-scan&title=OWASP+depscan.\n\nAfter you have done so, "
-                "make sure you have configured the action with thank_you: 'I "
-                "have sponsored OWASP-dep-scan.'",
-                title="Please make a donation",
+                "OWASP foundation relies on donations to fund our projects.\nPlease donate at: https://owasp.org/donate/?reponame=www-project-dep-scan&title=OWASP+depscan",
+                title="Donate to the OWASP Foundation",
                 expand=False,
             )
         )
-        sys.exit(1)
     # Should we turn on the debug mode
     if args.enable_debug:
         os.environ["AT_DEBUG_MODE"] = "debug"
@@ -808,6 +807,8 @@ def main():
     if args.project_type:
         project_types_list = args.project_type.split(",")
     elif args.search_purl:
+        # Automatically enable risk audit for single purl searches
+        perform_risk_audit = True
         purl_obj = parse_purl(args.search_purl)
         purl_obj["purl"] = args.search_purl
         purl_obj["vendor"] = purl_obj.get("namespace")
@@ -870,7 +871,11 @@ def main():
                 bom_file,
                 src_dir,
                 args.deep_scan,
-                {"cdxgen_server": args.cdxgen_server, "profile": args.profile, "cdxgen_args": args.cdxgen_args},
+                {
+                    "cdxgen_server": args.cdxgen_server,
+                    "profile": args.profile,
+                    "cdxgen_args": args.cdxgen_args,
+                },
             )
         if not creation_status:
             LOG.debug("Bom file %s was not created successfully", bom_file)
@@ -903,16 +908,17 @@ def main():
                 project_type, licenses_results, license_report_file
             )
         if project_type in risk_audit_map:
-            if args.risk_audit:
-                console.print(
-                    Panel(
-                        f"Performing OSS Risk Audit for packages from "
-                        f"{src_dir}\nNo of packages [bold]{len(pkg_list)}"
-                        f"[/bold]. This will take a while ...",
-                        title="OSS Risk Audit",
-                        expand=False,
+            if perform_risk_audit:
+                if len(pkg_list) > 1:
+                    console.print(
+                        Panel(
+                            f"Performing OSS Risk Audit for packages from "
+                            f"{src_dir}\nNo of packages [bold]{len(pkg_list)}"
+                            f"[/bold]. This will take a while ...",
+                            title="OSS Risk Audit",
+                            expand=False,
+                        )
                     )
-                )
                 try:
                     risk_results = risk_audit(
                         project_type,
@@ -995,7 +1001,7 @@ def main():
                 github_client = github.GitHub(github_token)
 
                 if not github_client.can_authenticate():
-                    LOG.error(
+                    LOG.info(
                         "The GitHub personal access token supplied appears to be invalid or expired. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory"
                     )
                 else:
@@ -1021,11 +1027,12 @@ def main():
                 except NotImplementedError:
                     pass
                 run_cacher = False
-        LOG.info(
-            "Performing regular scan for %s using plugin %s",
-            src_dir,
-            project_type,
-        )
+        if len(pkg_list) > 1:
+            LOG.info(
+                "Performing regular scan for %s using plugin %s",
+                src_dir,
+                project_type,
+            )
         vdb_results, pkg_aliases, sug_version_dict, purl_aliases = scan(
             db, project_type, pkg_list, args.suggest
         )
@@ -1071,9 +1078,9 @@ def main():
             )
     console.save_html(
         html_file,
-        theme=MONOKAI
-        if os.getenv("USE_DARK_THEME")
-        else DEFAULT_TERMINAL_THEME,
+        theme=(
+            MONOKAI if os.getenv("USE_DARK_THEME") else DEFAULT_TERMINAL_THEME
+        ),
     )
     utils.export_pdf(html_file, pdf_file)
     # render report into template if wished

depscan/lib/analysis.py

@@ -235,8 +235,7 @@ def is_lang_sw_edition(package_issue):
             return True
         if (
             config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
-            or all_parts.group("sw_edition")
-            in config.LANG_PKG_TYPES.values()
+            or all_parts.group("sw_edition") in config.LANG_PKG_TYPES.values()
         ):
             return True
         return False
@@ -306,6 +305,7 @@ def prepare_vdr(options: PrepareVdrOptions):
     fp_count = 0
     pkg_attention_count = 0
     critical_count = 0
+    malicious_count = 0
     has_poc_count = 0
     has_reachable_poc_count = 0
     has_exploit_count = 0
@@ -376,6 +376,10 @@ def prepare_vdr(options: PrepareVdrOptions):
         package_type = None
         insights = []
         plain_insights = []
+        if vid.startswith("MAL-"):
+            insights.append("[bright_red]:stop_sign: Malicious[/bright_red]")
+            plain_insights.append("Malicious")
+            malicious_count += 1
         purl_obj = None
         vendor = package_issue["affected_location"].get("vendor")
         # If the match was based on name and version alone then the alias might legitimately lack a full purl
@@ -401,7 +405,13 @@ def prepare_vdr(options: PrepareVdrOptions):
                 package_type = purl_obj.get("type")
                 qualifiers = purl_obj.get("qualifiers", {})
                 # Filter application CVEs from distros
-                if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
+                if (
+                    config.LANG_PKG_TYPES.get(package_type)
+                    or package_type in config.LANG_PKG_TYPES.values()
+                ) and (
+                    (vendor and vendor in config.OS_PKG_TYPES)
+                    or not is_lang_sw_edition(package_issue)
+                ):
                     fp_count += 1
                     continue
                 if package_type in config.OS_PKG_TYPES:
@@ -760,7 +770,18 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
         console.print()
         console.print(utable)
         console.print()
-    if options.scoped_pkgs or has_exploit_count:
+    if malicious_count:
+        rmessage = ":stop_sign: Malicious package found! Treat this as a [bold]security incident[/bold] and follow your organization's playbook to remove this package from all affected applications."
+        if malicious_count > 1:
+            rmessage = f":stop_sign: {malicious_count} malicious packages found in this project! Treat this as a [bold]security incident[/bold] and follow your organization's playbook to remove the packages from all affected applications."
+        console.print(
+            Panel(
+                rmessage,
+                title="Action Required",
+                expand=False,
+            )
+        )
+    elif options.scoped_pkgs or has_exploit_count:
         if not pkg_attention_count and has_exploit_count:
             if has_reachable_exploit_count:
                 rmessage = (
@@ -898,18 +919,19 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
                     this result."""
                 console.print(Panel(rmessage, title="Recommendation"))
             else:
-                rmessage = ":white_check_mark: No package requires immediate attention."
+                rmessage = None
                 if reached_purls:
                     rmessage = ":white_check_mark: No package requires immediate attention since the major vulnerabilities are not reachable."
                 elif direct_purls:
                     rmessage = ":white_check_mark: No package requires immediate attention since the major vulnerabilities are found only in dev packages and indirect dependencies."
-                console.print(
-                    Panel(
-                        rmessage,
-                        title="Recommendation",
-                        expand=False,
+                if rmessage:
+                    console.print(
+                        Panel(
+                            rmessage,
+                            title="Recommendation",
+                            expand=False,
+                        )
                     )
-                )
     elif critical_count:
         console.print(
             Panel(
@@ -919,14 +941,6 @@ Below are the vulnerabilities prioritized by depscan. Follow your team's remedia
                 expand=False,
             )
         )
-    else:
-        console.print(
-            Panel(
-                ":white_check_mark: No package requires immediate attention.",
-                title="Recommendation",
-                expand=False,
-            )
-        )
     if reached_purls:
         sorted_reached_purls = sorted(
             ((value, key) for (key, value) in reached_purls.items()),
@@ -1329,12 +1343,14 @@ def analyse_licenses(project_type, licenses_results, license_report_file=None):
                 data = [
                     *pkg_ver,
                     "{}{}".format(
-                        "[cyan]"
-                        if "GPL" in lic["spdx-id"]
-                        or "CC-BY-" in lic["spdx-id"]
-                        or "Facebook" in lic["spdx-id"]
-                        or "WTFPL" in lic["spdx-id"]
-                        else "",
+                        (
+                            "[cyan]"
+                            if "GPL" in lic["spdx-id"]
+                            or "CC-BY-" in lic["spdx-id"]
+                            or "Facebook" in lic["spdx-id"]
+                            or "WTFPL" in lic["spdx-id"]
+                            else ""
+                        ),
                         lic["spdx-id"],
                     ),
                     conditions_str,

depscan/lib/pkg_query.py

@@ -1,5 +1,6 @@
 import math
 from datetime import datetime
+from semver import Version
 
 import httpx
 from rich.progress import Progress
@@ -40,7 +41,9 @@ def get_lookup_url(registry_type, pkg):
     return None, None
 
 
-def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None):
+def metadata_from_registry(
+    registry_type, scoped_pkgs, pkg_list, private_ns=None
+):
     """
     Method to query registry for the package metadata
 
@@ -64,7 +67,9 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
         redirect_stdout=False,
         refresh_per_second=1,
     ) as progress:
-        task = progress.add_task("[green] Auditing packages", total=len(pkg_list))
+        task = progress.add_task(
+            "[green] Auditing packages", total=len(pkg_list)
+        )
         for pkg in pkg_list:
             if circuit_breaker:
                 LOG.info(
@@ -96,14 +101,16 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
                 if private_ns:
                     namespace_prefixes = private_ns.split(",")
                     for ns in namespace_prefixes:
-                        if key.lower().startswith(ns.lower()) or key.lower().startswith(
-                            "@" + ns.lower()
-                        ):
+                        if key.lower().startswith(
+                            ns.lower()
+                        ) or key.lower().startswith("@" + ns.lower()):
                             is_private_pkg = True
                             break
                 risk_metrics = {}
                 if registry_type == "npm":
-                    risk_metrics = npm_pkg_risk(json_data, is_private_pkg, scope)
+                    risk_metrics = npm_pkg_risk(
+                        json_data, is_private_pkg, scope
+                    )
                 elif registry_type == "pypi":
                     project_type_pkg = f"python:{key}".lower()
                     required_pkgs = scoped_pkgs.get("required", [])
@@ -124,7 +131,9 @@ def metadata_from_registry(registry_type, scoped_pkgs, pkg_list, private_ns=None
                         or project_type_pkg in excluded_pkgs
                     ):
                         scope = "excluded"
-                    risk_metrics = pypi_pkg_risk(json_data, is_private_pkg, scope)
+                    risk_metrics = pypi_pkg_risk(
+                        json_data, is_private_pkg, scope, pkg
+                    )
                 metadata_dict[key] = {
                     "scope": scope,
                     "pkg_metadata": json_data,
@@ -269,14 +278,16 @@ def compute_time_risks(
     # Check if the package is at least 1 year old. Quarantine period.
     if created_now_diff.total_seconds() < config.created_now_quarantine_seconds:
         risk_metrics["created_now_quarantine_seconds_risk"] = True
-        risk_metrics[
-            "created_now_quarantine_seconds_value"
-        ] = latest_now_diff.total_seconds()
+        risk_metrics["created_now_quarantine_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
 
     # Check for the maximum seconds difference between latest version and now
     if latest_now_diff.total_seconds() > config.latest_now_max_seconds:
         risk_metrics["latest_now_max_seconds_risk"] = True
-        risk_metrics["latest_now_max_seconds_value"] = latest_now_diff.total_seconds()
+        risk_metrics["latest_now_max_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
         # Since the package is quite old we can relax the min versions risk
         risk_metrics["pkg_min_versions_risk"] = False
     else:
@@ -287,17 +298,19 @@ def compute_time_risks(
         # packages
         if mod_create_diff.total_seconds() < config.mod_create_min_seconds:
             risk_metrics["mod_create_min_seconds_risk"] = True
-            risk_metrics[
-                "mod_create_min_seconds_value"
-            ] = mod_create_diff.total_seconds()
+            risk_metrics["mod_create_min_seconds_value"] = (
+                mod_create_diff.total_seconds()
+            )
     # Check for the minimum seconds difference between latest version and now
     if latest_now_diff.total_seconds() < config.latest_now_min_seconds:
         risk_metrics["latest_now_min_seconds_risk"] = True
-        risk_metrics["latest_now_min_seconds_value"] = latest_now_diff.total_seconds()
+        risk_metrics["latest_now_min_seconds_value"] = (
+            latest_now_diff.total_seconds()
+        )
     return risk_metrics
 
 
-def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
+def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope, pkg):
     """
     Calculate various package risks based on the metadata from pypi.
 
@@ -319,15 +332,38 @@ def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
     versions_dict = pkg_metadata.get("releases", {})
     versions = [ver[0] for k, ver in versions_dict.items() if ver]
     is_deprecated = info.get("yanked") and info.get("yanked_reason")
+    if not is_deprecated and pkg and pkg.get("version"):
+        theversion = versions_dict.get(pkg.get("version"), [])
+        if isinstance(theversion, list):
+            theversion = theversion[0]
+        if theversion.get("yanked"):
+            is_deprecated = True
     # Some packages like pypi:azure only mention deprecated in the description
     # without yanking the package
     pkg_description = info.get("description", "").lower()
-    if not is_deprecated and ("is deprecated" in pkg_description or "no longer maintained" in pkg_description):
+    if not is_deprecated and (
+        "is deprecated" in pkg_description
+        or "no longer maintained" in pkg_description
+    ):
         is_deprecated = True
     latest_deprecated = False
-    first_version = None
-    latest_version = None
-
+    version_nums = list(versions_dict.keys())
+    # Ignore empty versions without metadata. Thanks pypi
+    version_nums = [ver for ver in version_nums if versions_dict.get(ver)]
+    try:
+        first_version_num = min(
+            version_nums,
+            key=lambda x: Version.parse(x, optional_minor_and_patch=True),
+        )
+        latest_version_num = max(
+            version_nums,
+            key=lambda x: Version.parse(x, optional_minor_and_patch=True),
+        )
+    except (ValueError, TypeError):
+        first_version_num = version_nums[0]
+        latest_version_num = version_nums[-1]
+    first_version = versions_dict.get(first_version_num)[0]
+    latest_version = versions_dict.get(latest_version_num)[0]
     # Is the private package available publicly? Dependency confusion.
     if is_private_pkg and pkg_metadata:
         risk_metrics["pkg_private_on_public_registry_risk"] = True
@@ -338,8 +374,6 @@ def pypi_pkg_risk(pkg_metadata, is_private_pkg, scope):
         if len(versions) < config.pkg_min_versions:
             risk_metrics["pkg_min_versions_risk"] = True
             risk_metrics["pkg_min_versions_value"] = len(versions)
-        first_version = versions[0]
-        latest_version = versions[-1]
         # Check if the latest version is deprecated
         if latest_version and latest_version.get("yanked"):
             latest_deprecated = True

{owasp_depscan-5.3.5.dist-info → owasp_depscan-5.4.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.3.5
+Version: 5.4.1
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db ==5.6.8
+Requires-Dist: appthreat-vulnerability-db ==5.7.1
 Requires-Dist: defusedxml
 Requires-Dist: oras ~=0.1.26
 Requires-Dist: PyYAML
@@ -138,27 +138,6 @@ oras pull ghcr.io/owasp-dep-scan/depscan:v4 -o $VDB_HOME
 
 Use `vdb-10y` which is a larger database with vulnerability data spanning the last 10 years from 2014. In contrast, vdb with a starting year of 2018 is appropriate for most users.
 
-### Single binary executables
-
-Download the executable binary for your operating system from the [releases page](https://github.com/owasp-dep-scan/depscan-bin/releases). These binary bundle the following:
-
--   dep-scan with Python 3.11
--   cdxgen with Node.js 21
--   cdxgen binary plugins
-
-```bash
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan-linux-amd64
-chmod +x depscan-linux-amd64
-./depscan-linux-amd64 --help
-```
-
-On Windows,
-
-```powershell
-curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/latest/download/depscan.exe
-.\depscan.exe --help
-```
-
 ### Server mode
 
 dep-scan and cdxgen could be run in server mode. Use the included docker-compose file to get started.
@@ -190,19 +169,14 @@ Use the `/scan` endpoint to perform scans.
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
--   Scanning a SBOM file (present locally).
+-   Scanning an SBOM file (present locally).
 
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
 -   Scanning a GitHub repo.
-
-```bash
-curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
-```
-
--   Uploading a SBOM file and generating results based on it.
+    Uploading an SBOM file and generating results based on it.
 
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
@@ -307,7 +281,7 @@ You can also specify the image using the sha256 digest
 depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker
 ```
 
-You can also save container images using docker or podman save command and pass the archive to depscan for scanning.
+You can also save container images using the docker or podman save command and pass the archive to depscan for scanning.
 
 ```bash
 docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest

{owasp_depscan-5.3.5.dist-info → owasp_depscan-5.4.1.dist-info}/RECORD

@@ -1,7 +1,7 @@
 depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/cli.py,sha256=Ao4FB_vZODe6-dOzAwGJ_6fGKgx4oXPfBQR-j-nfxcg,39048
+depscan/cli.py,sha256=WQ_EbQgkwW0h1L-7otvaG8mLFqpk4r8n8YCPjHcCE1M,39240
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-depscan/lib/analysis.py,sha256=Zlm_BhmassmosM0yYazXUXNflhSgsrVvNTQtAoVIChU,59180
+depscan/lib/analysis.py,sha256=jzDtf-BvmvH3uD0v7r1pVPU-kiIxcBZEpcwEZYP97xA,60013
 depscan/lib/audit.py,sha256=wpmIowFLaoFs0agZN3FUFxPumty5Gr6YRfcjXGsuNcI,1497
 depscan/lib/bom.py,sha256=MuHBCAt0tQ7LKwuDyMlxi0yCrMA6jI7tV81bFslU3S4,16822
 depscan/lib/config.py,sha256=5kAUh3BfH6Ngu0NY4CDVeNq0Rykk9yWaOh2sd3JWu9c,14627
@@ -12,7 +12,7 @@ depscan/lib/license.py,sha256=y4-WZuD2MOunKaLd2EJGcSYP6s3Lp_dgssdzhcl9eEM,2332
 depscan/lib/logger.py,sha256=TZkxVN2a5g2g0nOlrIodJWaDhTFT6JLtR1vR4fPSMgs,1605
 depscan/lib/normalize.py,sha256=SuGKTKK4aFaORC3dz7RSEEBBN4vRDv0Gq55F18BeDOw,12604
 depscan/lib/orasclient.py,sha256=l8Diieh0I2thTova4ozUkMblgyhRsttAkarnkRemsn0,4960
-depscan/lib/pkg_query.py,sha256=6_bsKSRA2kY5_2HAWV4izEm4qm97fxQeBojkRjX_bVk,20394
+depscan/lib/pkg_query.py,sha256=hOZGtWR4xXaGjoy2x8nzp3chSqywroAT6kNE8iI9Y1s,21494
 depscan/lib/utils.py,sha256=KUQPzjeQYIcjobDakCcbul93Sx74WEqTa_cINmy5620,14844
 vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vendor/choosealicense.com/_data/fields.yml,sha256=ydNsITXFUuADzGPM-jcUcJnN0r_qSGgH51oV27nX3Qs,819
@@ -23,6 +23,8 @@ vendor/choosealicense.com/_licenses/afl-3.0.txt,sha256=geEcMDR01aeoPeGCdJ_JjZ4Mf
 vendor/choosealicense.com/_licenses/agpl-3.0.txt,sha256=Kh_aeCNLcVAuLPgDUCG1WS9eun6BByKKyk2Vu6ZF45c,35944
 vendor/choosealicense.com/_licenses/apache-2.0.txt,sha256=YJ4stZn4SqpB2O8p2P2wTRZPqyLo2Skso0pZnQ9Wozg,12624
 vendor/choosealicense.com/_licenses/artistic-2.0.txt,sha256=Yv9JWPxIuOcT9VDW97f9iaOq9UuSWN9XPlM4k6iBiSE,9649
+vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt,sha256=WMrD25uYhI6ZAS-quCcDghSxt5y3cZWymKSdHJpZkmQ,2422
+vendor/choosealicense.com/_licenses/bsd-2-clause-patent.txt,sha256=Nun0tMNvQE8EQ9OYuu4__J_oCv9PRefJH7TjCWWBZnk,3497
 vendor/choosealicense.com/_licenses/bsd-2-clause.txt,sha256=2CN9FlwXZBaoq5OL9-Eg2PNFCYFj_OyQF8VlL0Z_7K8,2260
 vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt,sha256=dCbal-fEXLo_-tWO4A3qAhDdvw3RFM1mU2UGuGaA4ug,2348
 vendor/choosealicense.com/_licenses/bsd-3-clause.txt,sha256=cy5lPWtX2D7pvSH_U8bdHrMyYozv0F30uZ1SNyff9mQ,2505
@@ -41,7 +43,7 @@ vendor/choosealicense.com/_licenses/epl-2.0.txt,sha256=k8c7FnhGevhW5D3E58w0aZGrG
 vendor/choosealicense.com/_licenses/eupl-1.1.txt,sha256=k1y6FMqr2-lPUTeTgKpEgEGk6q_v-TswB2rvXgu109A,14163
 vendor/choosealicense.com/_licenses/eupl-1.2.txt,sha256=g69vd8dLnaYBrm_DXbS6kMZRsdp1x139JE7JPG8BqOI,14871
 vendor/choosealicense.com/_licenses/gfdl-1.3.txt,sha256=VnY42BXt5eNoitz-BG0cdiBCOVxfzgWrC7_4NmtCzhg,23969
-vendor/choosealicense.com/_licenses/gpl-2.0.txt,sha256=RzSJ5g8eK_29u2Ph4hWNHEhlzFXRT3eRzZ-Nopu-ZJc,19293
+vendor/choosealicense.com/_licenses/gpl-2.0.txt,sha256=H3eZKPhduHF2f5ZpnEmsSfHU8XfEOg_gyp82UmnXjnk,19289
 vendor/choosealicense.com/_licenses/gpl-3.0.txt,sha256=ivpMzXTTmo2oybHggg4Y54-kqIbxr-lxwMnb5kThTnY,36394
 vendor/choosealicense.com/_licenses/isc.txt,sha256=jqksnoAbEeEwMXPDzj_FZrvh7elhkKr_vFoMl3EhRsg,1744
 vendor/choosealicense.com/_licenses/lgpl-2.1.txt,sha256=AJT_fStEUdIjHNDCCyeYV0wpvIHvdA1xmpkJqr2G1jM,27491
@@ -59,14 +61,14 @@ vendor/choosealicense.com/_licenses/ofl-1.1.txt,sha256=rfABl7lxjv8qg1PN1kvFYFWF2
 vendor/choosealicense.com/_licenses/osl-3.0.txt,sha256=4q1Y0uGQtIOD88Z1B4sc6wzJ9ztzRieUglrKqUSiK_s,11580
 vendor/choosealicense.com/_licenses/postgresql.txt,sha256=LTaJOLi4f7dA3DRsx2t4F267JuOSvHzJz5SJ7Pdpn5U,1709
 vendor/choosealicense.com/_licenses/unlicense.txt,sha256=3cLgcN8LslzpUbCVTZwbXSKxfxUNWOrGa9plPQRLte0,2001
-vendor/choosealicense.com/_licenses/upl-1.0.txt,sha256=fUjnD9-De6RIsp29l6RNDD_sg2WIM0DvhKgkhrRYR_A,3252
+vendor/choosealicense.com/_licenses/upl-1.0.txt,sha256=yJ3mfZkFmzSHesz6uOF9S0fX6hkCVMhr7rmgUdGL2vc,3253
 vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7UfcJmP1barrhHI,6119
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
-vendor/spdx/json/licenses.json,sha256=_Vz_aACEg-giVk08ZBQLqB5Z3AnSWZmdD9I22ID3QNs,275192
-owasp_depscan-5.3.5.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
-owasp_depscan-5.3.5.dist-info/METADATA,sha256=6Lg__90CPIFvjOp1fX9favjGowfN3ynrdEAAOHqzJCE,28091
-owasp_depscan-5.3.5.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-owasp_depscan-5.3.5.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-5.3.5.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-5.3.5.dist-info/RECORD,,
+vendor/spdx/json/licenses.json,sha256=JFXWP7m8we70m62f5b144908LnHDGZn0A_5zjNxnyuI,300252
+owasp_depscan-5.4.1.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-5.4.1.dist-info/METADATA,sha256=iwpGflRb0Jk-ElFkvd4-rIug8m5Dlxb_3pKqZq7jeG8,27345
+owasp_depscan-5.4.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+owasp_depscan-5.4.1.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
+owasp_depscan-5.4.1.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-5.4.1.dist-info/RECORD,,

vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt

@@ -0,0 +1,84 @@
+---
+title: Blue Oak Model License 1.0.0
+spdx-id: BlueOak-1.0.0
+
+description: A permissive license whose main conditions require providing notice of the license. Contributors provide an express grant of patent rights. Licensed works, modifications, and larger works may be distributed under different terms and without source code.
+
+how: Create a text file (typically named LICENSE.md) in the root of your source code and copy the text of the license into the file.
+
+using:
+  drone-gc: https://github.com/drone/drone-gc/blob/master/LICENSE.md
+  oh-my-git: https://github.com/git-learning-game/oh-my-git/blob/main/LICENSE.md
+  punct: https://github.com/otherjoel/punct/blob/main/LICENSE.md 
+
+permissions:
+  - commercial-use
+  - modifications
+  - distribution
+  - patent-use
+  - private-use
+
+conditions:
+  - include-copyright
+
+limitations:
+  - liability
+  - warranty
+
+---
+
+# Blue Oak Model License
+
+Version 1.0.0
+
+## Purpose
+
+This license gives everyone as much permission to work with
+this software as possible, while protecting contributors
+from liability.
+
+## Acceptance
+
+In order to receive this license, you must agree to its
+rules.  The rules of this license are both obligations
+under that agreement and conditions to your license.
+You must not do anything with this software that triggers
+a rule that you cannot or will not follow.
+
+## Copyright
+
+Each contributor licenses you to do everything with this
+software that would otherwise infringe that contributor's
+copyright in it.
+
+## Notices
+
+You must ensure that everyone who gets a copy of
+any part of this software from you, with or without
+changes, also gets the text of this license or a link to
+<https://blueoakcouncil.org/license/1.0.0>.
+
+## Excuse
+
+If anyone notifies you in writing that you have not
+complied with [Notices](#notices), you can keep your
+license by taking all practical steps to comply within 30
+days after the notice.  If you do not do so, your license
+ends immediately.
+
+## Patent
+
+Each contributor licenses you to do everything with this
+software that would otherwise infringe any patent claims
+they can license or become able to license.
+
+## Reliability
+
+No contributor can revoke this license.
+
+## No Liability
+
+***As far as the law allows, this software comes as is,
+without any warranty or condition, and no contributor
+will be liable to anyone for any damages related to this
+software or this license, under any kind of legal claim.***