owasp-depscan 5.4.6__py3-none-any.whl → 5.4.8__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (9) hide show
  1. depscan/lib/config.py +16 -11
  2. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/METADATA +56 -23
  3. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/RECORD +9 -9
  4. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/WHEEL +1 -1
  5. vendor/choosealicense.com/_licenses/mpl-2.0.txt +1 -1
  6. vendor/spdx/json/licenses.json +810 -664
  7. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/LICENSE +0 -0
  8. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/entry_points.txt +0 -0
  9. {owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/top_level.txt +0 -0
depscan/lib/config.py CHANGED
@@ -85,7 +85,8 @@ vendor_alias = {
85
85
  "io.springfox": "smartbear",
86
86
  "log4net": "apache",
87
87
  "github": "github actions",
88
- "microsoft": "azure"
88
+ "microsoft": "azure",
89
+ "phenx": "dompdf",
89
90
  }
90
91
 
91
92
  # Package aliases
@@ -313,17 +314,21 @@ vdb_rafs_database_url = os.getenv(
313
314
  "VDB_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb:v5-rafs"
314
315
  )
315
316
 
316
- # Larger 10 year database
317
- vdb_10y_database_url = os.getenv(
318
- "VDB_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-10y:v5"
319
- )
320
- vdb_10y_rafs_database_url = os.getenv(
321
- "VDB_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-10y:v5-rafs"
322
- )
317
+ # App only data
318
+ if os.getenv("VDB_APP_ONLY", "") in ("true", "1"):
319
+ vdb_database_url = os.getenv("VDB_APP_DATABASE_URL", "ghcr.io/appthreat/vdbgz-app:v5")
320
+ vdb_rafs_database_url = os.getenv("VDB_APP_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-app:v5-rafs")
323
321
 
324
- if os.getenv("USE_VDB_10Y", "") in ("true", "1"):
325
- vdb_database_url = vdb_10y_database_url
326
- vdb_rafs_database_url = vdb_10y_rafs_database_url
322
+ # Larger 10 year database
323
+ if os.getenv("USE_VDB_10Y", "") in ("true", "1") or os.getenv("NVD_START_YEAR", "") in ("2014",):
324
+ if os.getenv("VDB_APP_ONLY", "") in ("true", "1"):
325
+ # 10 year app-only database
326
+ vdb_database_url = os.getenv("VDB_APP_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-app-10y:v5")
327
+ vdb_rafs_database_url = os.getenv("VDB_APP_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-app-10y:v5-rafs")
328
+ else:
329
+ # 10 year database
330
+ vdb_database_url = os.getenv("VDB_10Y_DATABASE_URL", "ghcr.io/appthreat/vdbgz-10y:v5")
331
+ vdb_rafs_database_url = os.getenv("VDB_10Y_RAFS_DATABASE_URL", "ghcr.io/appthreat/vdb-10y:v5-rafs")
327
332
 
328
333
  # Package risk scoring using a simple weighted formula with no backing
329
334
  # research All parameters and their max value and weight can be overridden
{owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.6
3
+ Version: 5.4.8
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.5
23
+ Requires-Dist: appthreat-vulnerability-db==5.7.8
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
@@ -55,7 +55,6 @@ OWASP dep-scan is a next-generation security and risk audit tool based on known
55
55
  - [Linux distros](#linux-distros)
56
56
  - [Usage](#usage)
57
57
  - [OCI Artifacts via ORAS cli](#oci-artifacts-via-oras-cli)
58
- - [Single binary executables](#single-binary-executables)
59
58
  - [Server mode](#server-mode)
60
59
  - [Scanning projects locally (Python version)](#scanning-projects-locally-python-version)
61
60
  - [Scanning containers locally (Python version)](#scanning-containers-locally-python-version)
@@ -319,25 +318,35 @@ dep-scan uses [cdxgen](https://github.com/CycloneDX/cdxgen) command internally t
319
318
 
320
319
  The following projects and package-dependency format is supported by cdxgen.
321
320
 
322
- | Language | Package format |
323
- | ------------------------ | --------------------------------------------------------------------------------------- |
324
- | node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js |
325
- | java | maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt), bazel |
326
- | php | composer.lock |
327
- | python | setup.py, requirements.txt [2], Pipfile.lock, poetry.lock, bdist_wheel, .whl, .egg-info |
328
- | go | binary, go.mod, go.sum, Gopkg.lock |
329
- | ruby | Gemfile.lock, gemspec |
330
- | rust | binary, Cargo.toml, Cargo.lock |
331
- | .Net | .csproj, packages.config, project.assets.json [3], packages.lock.json, .nupkg |
332
- | dart | pubspec.lock, pubspec.yaml |
333
- | haskell | cabal.project.freeze |
334
- | elixir | mix.lock |
335
- | c/c++ | conan.lock, conanfile.txt |
336
- | clojure | Clojure CLI (deps.edn), Leiningen (project.clj) |
337
- | docker / oci image | All supported languages and Linux OS packages |
338
- | GitHub Actions Workflows | .github/workflows/\*.yml |
339
- | Jenkins Plugins | .hpi files |
340
- | YAML manifests | docker-compose, kubernetes, kustomization, skaffold, tekton etc |
321
+ | Language/Platform | Project Types | Package Formats | Supported Evidence | Supports Transitives |
322
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------- |
323
+ | Node.js | `npm`, `pnpm`, `nodejs`, `js`, `javascript`, `typescript`, `ts`, `tsx` | `npm-shrinkwrap.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `rush.js`, `bower.json`, `.min.js` | Yes, except for `.min.` | ✅ |
324
+ | Java | `java`, `groovy`, `kotlin`, `scala`, `jvm`, `gradle`, `mvn`, `maven`, `sbt` | `pom.xml` [1], `build.gradle`, `.kts`, `sbt`, `bazel` | Yes, unless `pom.xml` is manually parsed due to unavailability of maven or errors) | ✅ |
325
+ | Android | `android`, `apk`, `aab` | `apk`, `aab` | - | - |
326
+ | JAR | `jar` | `.jar` | - | - |
327
+ | JAR (Gradle Cache) | `gradle-index`, `gradle-cache` | `$HOME/caches/modules-2/files-2.1/\*\*/\*.jar` | - | - |
328
+ | JAR (SBT Cache) | `sbt-index`, `sbt-cache` | `$HOME/.ivy2/cache/\*\*/\*.jar ` | - | - |
329
+ | JAR (Maven Cache) | `maven-index`, `maven-cache`, `maven-repo` | `$HOME/.m2/repository/\*\*/\*.jar` | - | - |
330
+ | Python | `python`, `py`, `pypi` | `pyproject.toml`, `setup.py`, `requirements.txt` [2], `Pipfile.lock`, `poetry.lock`, `pdm.lock`, `bdist_wheel`, `.whl`, `.egg-info` | Yes using the automatic pip install/freeze. When disabled, only with `Pipfile.lock` and `poetry.lock` | ✅ |
331
+ | Golang | `go`, `golang` | `binary`, `go.mod`, `go.sum`, `Gopkg.lock` | Yes except binary | ✅ |
332
+ | Rust | `rust`, `rust-lang`, `cargo` | `binary`, `Cargo.toml`, `Cargo.lock` | Only for `Cargo.lock` | - |
333
+ | Ruby | `ruby`, `gems` | `Gemfile.lock`, `gemspec` | Only for `Gemfile.lock` | - |
334
+ | .NET (#C) | `csharp`, `netcore`, `dotnet`, `vb`, `dotnet-framework` | `.csproj`, `.vbproj`, `.fsproj`, `packages.config`, `project.assets.json` [3], `packages.lock.json`, `.nupkg`, `paket.lock`, `binary` | Only for `project.assets.json`, `packages.lock.json`, `paket.lock` | - |
335
+ | Dart | `dart`, `flutter`, `pub` | `pubspec.lock`, `pubspec.yaml` | Only for `pubspec.lock` | - |
336
+ | Haskell | `haskell`, `hackage`, `cabal` | `cabal.project.freeze` | Yes | |
337
+ | Elixir | `elixir`, `hex`, `mix` | `mix.lock` | Yes | - |
338
+ | C++ | `c`, `cpp`, `c++`, `conan` | `conan.lock`, `conanfile.txt`, `\*.cmake`, `CMakeLists.txt`, `meson.build`, codebase without package managers! | Yes only for `conan.lock`. Best effort basis for `cmake` without version numbers. | ✅ |
339
+ | Clojure | `clojure`, `edn`, `clj`, `leiningen` | `deps.edn`, `project.clj` | Yes unless the files are parsed manually due to lack of clojure cli or leiningen command | - |
340
+ | GitHub Actions | `github`, `actions` | `.github/workflows/\*.yml` | n/a | ✅ |
341
+ | Operation System (OS) | `os`, `osquery`, `windows`, `linux`, `mac`, `macos`, `darwin` |
342
+ | Jenkins Plugins | `jenkins` | `.hpi files` | - | ✅ |
343
+ | Helm | `helm`, `charts` | `.yaml` | n/a | |
344
+ | Helm (Cache) | `helm-index`, `helm-repo` | `$HOME/.cache/helm/repository/\*\*/\*.yaml` | - | - |
345
+ | Container | `universal`, `containerfile`, `docker-compose`, `dockerfile`, `swarm`, `tekton`, `kustomize`, `operator`, `skaffold`, `kubernetes`, `openshift`, `yaml-manifest` | `.yaml`, `docker-compose\*.yml`, `*Dockerfile*`, `*Containerfile*`, `bitbucket-pipelines.yml` | n/a | - |
346
+ | Google Cloud Build | `cloudbuild` | `cloudbuild.yaml` | n/a | - |
347
+ | Swift (iOS) | `swift` | `Package.resolved`, `Package.swift` (swiftpm) | Yes | - |
348
+ | Binary | `binary`, `blint` |
349
+ | Open API | Open API Specification, Swagger | `openapi\*.json`, `openapi\*.yaml` | n/a | - |
341
350
 
342
351
  ## Reachability analysis
343
352
 
@@ -380,6 +389,30 @@ The following environment variables can be used to customize the behavior.
380
389
  - VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
381
390
  - VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbgz:v5
382
391
  - USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database. Default download url: ghcr.io/appthreat/vdb-10y:v5
392
+ - VDB_APP_ONLY - Set to true to use a special app-only vulnerability database. Default download url: ghcr.io/appthreat/vdbgz-app:v5
393
+
394
+ Example 1 - Run depscan with app-only vdb.
395
+
396
+ ```shell
397
+ docker run --rm \
398
+ -e VDB_HOME=/db \
399
+ -e VDB_APP_ONLY=true \
400
+ -e SCAN_DEBUG_MODE=debug \
401
+ -v /tmp:/db \
402
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
403
+ ```
404
+
405
+ Example 2 - Run depscan with a larger 10 year app-only vdb.
406
+
407
+ ```shell
408
+ docker run --rm \
409
+ -e VDB_HOME=/db \
410
+ -e VDB_APP_ONLY=true \
411
+ -e USE_VDB_10Y=true \
412
+ -e SCAN_DEBUG_MODE=debug \
413
+ -v /tmp:/db \
414
+ -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
415
+ ```
383
416
 
384
417
  ## GitHub Security Advisory
385
418
 
@@ -521,7 +554,7 @@ The objects available are taken from the CycloneDX \*.vdr.json BOM file generate
521
554
  `pkg_group_rows` - List of vulnerability id and the dependency tree prioritized by depscan.
522
555
 
523
556
  Furthermore, insights are imaginable to be made available to the template, please reach out or contribute on demand.
524
- We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates/).
557
+ We appreciate it if you like to contribute your report templates as examples, please add/find them [here](contrib/report-templates).
525
558
 
526
559
  ## Performance tuning
527
560
 
{owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/RECORD RENAMED
@@ -4,7 +4,7 @@ depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
4
4
  depscan/lib/analysis.py,sha256=M3xvQbsN3-__3OXCsLD2MJYOcpVzUKyjmWoO6xL1T8I,60473
5
5
  depscan/lib/audit.py,sha256=wpmIowFLaoFs0agZN3FUFxPumty5Gr6YRfcjXGsuNcI,1497
6
6
  depscan/lib/bom.py,sha256=MuHBCAt0tQ7LKwuDyMlxi0yCrMA6jI7tV81bFslU3S4,16822
7
- depscan/lib/config.py,sha256=5kAUh3BfH6Ngu0NY4CDVeNq0Rykk9yWaOh2sd3JWu9c,14627
7
+ depscan/lib/config.py,sha256=l5HNXZVUlY7aLjBtVn8jvZVZIeN-YOg5t2E5qmTuKsY,15206
8
8
  depscan/lib/csaf.py,sha256=j9J5E_22nm--MOKy-g-agVnqtlkD84K93AyzOxIh-Rs,81781
9
9
  depscan/lib/explainer.py,sha256=gSBNMxwyr1s_2v0GY-k3Ds5B92LMeCrqJF5P9nsW934,9966
10
10
  depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
@@ -51,7 +51,7 @@ vendor/choosealicense.com/_licenses/lgpl-3.0.txt,sha256=Cy6KfHqXeQj6C_qi4qelTj_X
51
51
  vendor/choosealicense.com/_licenses/lppl-1.3c.txt,sha256=Dew_j3vIQPFMWMGVKKd6YtO9m29eiGZg-WQX_VDdVWE,19902
52
52
  vendor/choosealicense.com/_licenses/mit-0.txt,sha256=-mO2WmWxJv_BrgjS7dyoa0Z6UDEneNMpb8-BXfcIFxs,1813
53
53
  vendor/choosealicense.com/_licenses/mit.txt,sha256=5pGdsTysszAPkY0QSNmW0PRQbh8RC3yqIfMep8o-9bg,1989
54
- vendor/choosealicense.com/_licenses/mpl-2.0.txt,sha256=OITkhOOd1L3pc2-i8XI8D62lfQdcx5p9UpxfvOwiv_E,18103
54
+ vendor/choosealicense.com/_licenses/mpl-2.0.txt,sha256=DgO4Fxt7gwpqQWtAPs7RfTm67Vs6YFY5cfiyeqpPKeY,18104
55
55
  vendor/choosealicense.com/_licenses/ms-pl.txt,sha256=RQ729lB-pefWSFZF4wXHo6blmfzUJltLu3eQaE8rW9w,3226
56
56
  vendor/choosealicense.com/_licenses/ms-rl.txt,sha256=n51KB4JlJbKdsCe_RUFuhw7tPYFRE7TjEntYacLN8WY,3868
57
57
  vendor/choosealicense.com/_licenses/mulanpsl-2.0.txt,sha256=-URwwR8aEk_uTxhRMkHzk_lo5muZyWOR-2P0MZ0tJS0,10377
@@ -65,10 +65,10 @@ vendor/choosealicense.com/_licenses/upl-1.0.txt,sha256=yJ3mfZkFmzSHesz6uOF9S0fX6
65
65
  vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7UfcJmP1barrhHI,6119
66
66
  vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
67
67
  vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
68
- vendor/spdx/json/licenses.json,sha256=JFXWP7m8we70m62f5b144908LnHDGZn0A_5zjNxnyuI,300252
69
- owasp_depscan-5.4.6.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
70
- owasp_depscan-5.4.6.dist-info/METADATA,sha256=ct1jPC9ILq9xEqbEmcjd7viY98pvzyCvywdFDrBlHGQ,27338
71
- owasp_depscan-5.4.6.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
72
- owasp_depscan-5.4.6.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
73
- owasp_depscan-5.4.6.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
74
- owasp_depscan-5.4.6.dist-info/RECORD,,
68
+ vendor/spdx/json/licenses.json,sha256=smNvDARyOEm37C5Xxqyv8-qkvoxGRACoUVNbUaSb4F8,305885
69
+ owasp_depscan-5.4.8.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
70
+ owasp_depscan-5.4.8.dist-info/METADATA,sha256=bRhTTwUkoezH2PlZ_DE12n4jqfuRVuyvxf9Bb7tJ4cU,38300
71
+ owasp_depscan-5.4.8.dist-info/WHEEL,sha256=OVMc5UfuAQiSplgO0_WdW7vXVGAt9Hdd6qtN4HotdyA,91
72
+ owasp_depscan-5.4.8.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
73
+ owasp_depscan-5.4.8.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
74
+ owasp_depscan-5.4.8.dist-info/RECORD,,
{owasp_depscan-5.4.6.dist-info → owasp_depscan-5.4.8.dist-info}/WHEEL RENAMED
@@ -1,5 +1,5 @@
1
1
  Wheel-Version: 1.0
2
- Generator: setuptools (75.1.0)
2
+ Generator: setuptools (75.2.0)
3
3
  Root-Is-Purelib: true
4
4
  Tag: py3-none-any
5
5
 
vendor/choosealicense.com/_licenses/mpl-2.0.txt CHANGED
@@ -393,7 +393,7 @@ Exhibit A - Source Code Form License Notice
393
393
 
394
394
  This Source Code Form is subject to the terms of the Mozilla Public
395
395
  License, v. 2.0. If a copy of the MPL was not distributed with this
396
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
396
+ file, You can obtain one at https://mozilla.org/MPL/2.0/.
397
397
 
398
398
  If it is not possible or desirable to put the notice in a particular
399
399
  file, then You may include the notice in a location (such as a LICENSE