owasp-depscan 5.4.8__py3-none-any.whl → 5.5.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (7) hide show
  1. depscan/lib/analysis.py +28 -24
  2. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/METADATA +2 -2
  3. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/RECORD +7 -7
  4. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/WHEEL +1 -1
  5. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/LICENSE +0 -0
  6. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/entry_points.txt +0 -0
  7. {owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/top_level.txt +0 -0
depscan/lib/analysis.py CHANGED
@@ -19,7 +19,7 @@ from rich.table import Table
19
19
  from rich.tree import Tree
20
20
  from vdb.lib import CPE_FULL_REGEX
21
21
  from vdb.lib.config import placeholder_exclude_version, placeholder_fix_version
22
- from vdb.lib.utils import parse_cpe, parse_purl
22
+ from vdb.lib.utils import get_cvss3_from_vector, get_cvss4_from_vector, parse_cpe, parse_purl
23
23
 
24
24
  from depscan.lib import config
25
25
  from depscan.lib.logger import LOG, console
@@ -336,6 +336,11 @@ def prepare_vdr(options: PrepareVdrOptions):
336
336
  justify = "right"
337
337
  table.add_column(header=h, justify=justify, vertical="top")
338
338
  for vuln_occ_dict in options.results:
339
+ # If CVSS v4 data is available, override the severity and cvss_score
340
+ if vuln_occ_dict.get("cvss4_vector_string"):
341
+ cvss4_obj = get_cvss4_from_vector(vuln_occ_dict.get("cvss4_vector_string"))
342
+ vuln_occ_dict["cvss_score"] = cvss4_obj.get("baseScore")
343
+ vuln_occ_dict["severity"] = cvss4_obj.get("baseSeverity").upper()
339
344
  vid = vuln_occ_dict.get("id")
340
345
  problem_type = vuln_occ_dict.get("problem_type")
341
346
  cwes = []
@@ -1026,34 +1031,33 @@ def cvss_to_vdr_rating(vuln_occ_dict):
1026
1031
 
1027
1032
  :return: A list containing a dictionary with CVSS score information.
1028
1033
  """
1029
- cvss_score = vuln_occ_dict.get("cvss_score", 2.0)
1030
- with contextlib.suppress(ValueError, TypeError):
1031
- cvss_score = float(cvss_score)
1032
- if (pkg_severity := vuln_occ_dict.get("severity", "").lower()) not in (
1033
- "critical",
1034
- "high",
1035
- "medium",
1036
- "low",
1037
- "info",
1038
- "none",
1039
- ):
1040
- pkg_severity = "unknown"
1041
- ratings = [
1042
- {
1043
- "score": cvss_score,
1044
- "severity": pkg_severity,
1045
- }
1046
- ]
1047
- method = "31"
1034
+ ratings = []
1035
+ # Support for cvss v4
1036
+ if vuln_occ_dict.get("cvss4_vector_string") and (vector_string := vuln_occ_dict.get("cvss4_vector_string")):
1037
+ cvss4_obj = get_cvss4_from_vector(vector_string)
1038
+ ratings.append(
1039
+ {
1040
+ "method": "CVSSv4",
1041
+ "score": cvss4_obj.get("baseScore"),
1042
+ "severity": cvss4_obj.get("baseSeverity").lower(),
1043
+ "vector": vector_string
1044
+ }
1045
+ )
1048
1046
  if vuln_occ_dict.get("cvss_v3") and (
1049
1047
  vector_string := vuln_occ_dict["cvss_v3"].get("vector_string")
1050
1048
  ):
1051
- ratings[0]["vector"] = vector_string
1052
1049
  with contextlib.suppress(CVSSError):
1053
- method = cvss.CVSS3(vector_string).as_json().get("version")
1050
+ cvss3_obj = get_cvss3_from_vector(vector_string)
1051
+ method = cvss3_obj.get("version")
1054
1052
  method = method.replace(".", "").replace("0", "")
1055
- ratings[0]["method"] = f"CVSSv{method}"
1056
-
1053
+ ratings.append(
1054
+ {
1055
+ "method": f"CVSSv{method}",
1056
+ "score": cvss3_obj.get("baseScore"),
1057
+ "severity": cvss3_obj.get("baseSeverity").lower(),
1058
+ "vector": vector_string
1059
+ }
1060
+ )
1057
1061
  return ratings
1058
1062
 
1059
1063
 
{owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.8
3
+ Version: 5.5.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.8
23
+ Requires-Dist: appthreat-vulnerability-db==5.8.1
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
{owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/RECORD RENAMED
@@ -1,7 +1,7 @@
1
1
  depscan/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
2
2
  depscan/cli.py,sha256=WQ_EbQgkwW0h1L-7otvaG8mLFqpk4r8n8YCPjHcCE1M,39240
3
3
  depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
4
- depscan/lib/analysis.py,sha256=M3xvQbsN3-__3OXCsLD2MJYOcpVzUKyjmWoO6xL1T8I,60473
4
+ depscan/lib/analysis.py,sha256=CxAlqEyiYrJiFWyhgqyWVzPoCmjfwZVpgF1znFnsjVE,61104
5
5
  depscan/lib/audit.py,sha256=wpmIowFLaoFs0agZN3FUFxPumty5Gr6YRfcjXGsuNcI,1497
6
6
  depscan/lib/bom.py,sha256=MuHBCAt0tQ7LKwuDyMlxi0yCrMA6jI7tV81bFslU3S4,16822
7
7
  depscan/lib/config.py,sha256=l5HNXZVUlY7aLjBtVn8jvZVZIeN-YOg5t2E5qmTuKsY,15206
@@ -66,9 +66,9 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
66
66
  vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
67
67
  vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
68
68
  vendor/spdx/json/licenses.json,sha256=smNvDARyOEm37C5Xxqyv8-qkvoxGRACoUVNbUaSb4F8,305885
69
- owasp_depscan-5.4.8.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
70
- owasp_depscan-5.4.8.dist-info/METADATA,sha256=bRhTTwUkoezH2PlZ_DE12n4jqfuRVuyvxf9Bb7tJ4cU,38300
71
- owasp_depscan-5.4.8.dist-info/WHEEL,sha256=OVMc5UfuAQiSplgO0_WdW7vXVGAt9Hdd6qtN4HotdyA,91
72
- owasp_depscan-5.4.8.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
73
- owasp_depscan-5.4.8.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
74
- owasp_depscan-5.4.8.dist-info/RECORD,,
69
+ owasp_depscan-5.5.0.dist-info/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
70
+ owasp_depscan-5.5.0.dist-info/METADATA,sha256=nCvNzb5ypzWLVkoI2JR9aq9rY6p8P_NbBT_QJJraZDM,38300
71
+ owasp_depscan-5.5.0.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
72
+ owasp_depscan-5.5.0.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
73
+ owasp_depscan-5.5.0.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
74
+ owasp_depscan-5.5.0.dist-info/RECORD,,
{owasp_depscan-5.4.8.dist-info → owasp_depscan-5.5.0.dist-info}/WHEEL RENAMED
@@ -1,5 +1,5 @@
1
1
  Wheel-Version: 1.0
2
- Generator: setuptools (75.2.0)
2
+ Generator: setuptools (75.3.0)
3
3
  Root-Is-Purelib: true
4
4
  Tag: py3-none-any
5
5