owasp-depscan 5.4.8__py3-none-any.whl → 6.0.0a2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (34) hide show
  1. depscan/__init__.py +8 -0
  2. depscan/cli.py +719 -827
  3. depscan/cli_options.py +302 -0
  4. depscan/lib/audit.py +3 -1
  5. depscan/lib/bom.py +390 -288
  6. depscan/lib/config.py +86 -337
  7. depscan/lib/explainer.py +363 -98
  8. depscan/lib/license.py +11 -10
  9. depscan/lib/logger.py +65 -17
  10. depscan/lib/package_query/__init__.py +0 -0
  11. depscan/lib/package_query/cargo_pkg.py +124 -0
  12. depscan/lib/package_query/metadata.py +170 -0
  13. depscan/lib/package_query/npm_pkg.py +345 -0
  14. depscan/lib/package_query/pkg_query.py +195 -0
  15. depscan/lib/package_query/pypi_pkg.py +113 -0
  16. depscan/lib/tomlparse.py +116 -0
  17. depscan/lib/utils.py +34 -188
  18. owasp_depscan-6.0.0a2.dist-info/METADATA +390 -0
  19. {owasp_depscan-5.4.8.dist-info → owasp_depscan-6.0.0a2.dist-info}/RECORD +28 -25
  20. {owasp_depscan-5.4.8.dist-info → owasp_depscan-6.0.0a2.dist-info}/WHEEL +1 -1
  21. vendor/choosealicense.com/_licenses/cern-ohl-p-2.0.txt +1 -1
  22. vendor/choosealicense.com/_licenses/cern-ohl-s-2.0.txt +1 -1
  23. vendor/choosealicense.com/_licenses/cern-ohl-w-2.0.txt +2 -2
  24. vendor/choosealicense.com/_licenses/mit-0.txt +1 -1
  25. vendor/spdx/json/licenses.json +904 -677
  26. depscan/lib/analysis.py +0 -1550
  27. depscan/lib/csaf.py +0 -1860
  28. depscan/lib/normalize.py +0 -312
  29. depscan/lib/orasclient.py +0 -142
  30. depscan/lib/pkg_query.py +0 -532
  31. owasp_depscan-5.4.8.dist-info/METADATA +0 -580
  32. {owasp_depscan-5.4.8.dist-info → owasp_depscan-6.0.0a2.dist-info}/entry_points.txt +0 -0
  33. {owasp_depscan-5.4.8.dist-info → owasp_depscan-6.0.0a2.dist-info/licenses}/LICENSE +0 -0
  34. {owasp_depscan-5.4.8.dist-info → owasp_depscan-6.0.0a2.dist-info}/top_level.txt +0 -0
depscan/cli_options.py ADDED
@@ -0,0 +1,302 @@
1
+ import os
2
+ from depscan import get_version
3
+ from depscan.lib import tomlparse
4
+
5
+
6
+ def build_parser():
7
+ parser = tomlparse.ArgumentParser(
8
+ description="Fully open-source security and license audit for "
9
+ "application dependencies and container images based on "
10
+ "known vulnerabilities and advisories.",
11
+ epilog="Visit https://github.com/owasp-dep-scan/dep-scan to learn more",
12
+ )
13
+ parser.add_argument(
14
+ "--no-banner",
15
+ action="store_true",
16
+ default=False,
17
+ dest="no_banner",
18
+ help="Do not display the logo and donation banner. Please make a donation to OWASP before using this argument.",
19
+ )
20
+ parser.add_argument(
21
+ "-i",
22
+ "--src",
23
+ default=os.getenv("DEPSCAN_SOURCE_DIR_IMAGE", os.getcwd()),
24
+ dest="src_dir_image",
25
+ help="Source directory or container image or binary file",
26
+ )
27
+ parser.add_argument(
28
+ "-o",
29
+ "--reports-dir",
30
+ default=os.getenv("DEPSCAN_REPORTS_DIR", os.path.join(os.getcwd(), "reports")),
31
+ dest="reports_dir",
32
+ help="Reports directory",
33
+ )
34
+ parser.add_argument(
35
+ "--csaf",
36
+ action="store_true",
37
+ default=False,
38
+ dest="csaf",
39
+ help="Generate a OASIS CSAF VEX document",
40
+ )
41
+ parser.add_argument(
42
+ "--profile",
43
+ default="generic",
44
+ choices=(
45
+ "appsec",
46
+ "research",
47
+ "operational",
48
+ "threat-modeling",
49
+ "license-compliance",
50
+ "generic",
51
+ "machine-learning",
52
+ "ml",
53
+ "deep-learning",
54
+ "ml-deep",
55
+ "ml-tiny",
56
+ ),
57
+ dest="profile",
58
+ help="Profile to use while generating the BOM. For granular control, use the arguments --bom-engine, --vulnerability-analyzer, or --reachability-analyzer.",
59
+ )
60
+ parser.add_argument(
61
+ "--lifecycle",
62
+ choices=("pre-build", "build", "post-build"),
63
+ nargs="+",
64
+ type=str,
65
+ dest="lifecycles",
66
+ help="Product lifecycle for the generated BOM. Multiple values allowed.",
67
+ )
68
+ parser.add_argument(
69
+ "--technique",
70
+ choices=(
71
+ "auto",
72
+ "source-code-analysis",
73
+ "binary-analysis",
74
+ "manifest-analysis",
75
+ "hash-comparison",
76
+ "instrumentation",
77
+ "filename",
78
+ ),
79
+ nargs="+",
80
+ type=str,
81
+ dest="techniques",
82
+ help="Analysis technique to use for BOM generation. Multiple values allowed.",
83
+ )
84
+ engine_group = parser.add_mutually_exclusive_group(required=False)
85
+ engine_group.add_argument(
86
+ "--bom-engine",
87
+ choices=(
88
+ "auto",
89
+ "CdxgenGenerator",
90
+ "CdxgenServerGenerator",
91
+ "CdxgenImageBasedGenerator",
92
+ "BlintGenerator",
93
+ ),
94
+ default="auto",
95
+ dest="bom_engine",
96
+ help="BOM generation engine to use. Defaults to automatic selection based on project type and lifecycle.",
97
+ )
98
+ engine_group.add_argument(
99
+ "--vulnerability-analyzer",
100
+ choices=(
101
+ "auto",
102
+ "VDRAnalyzer",
103
+ "LifecycleAnalyzer",
104
+ ),
105
+ default="auto",
106
+ dest="vuln_analyzer",
107
+ help="Vulnerability analyzer to use. Defaults to automatic selection based on bom_dir argument.",
108
+ )
109
+ parser.add_argument(
110
+ "--reachability-analyzer",
111
+ choices=(
112
+ "off",
113
+ "FrameworkReachability",
114
+ "SemanticReachability",
115
+ ),
116
+ default="FrameworkReachability",
117
+ dest="reachability_analyzer",
118
+ help="Reachability analyzer to use. Default FrameworkReachability.",
119
+ )
120
+ parser.add_argument(
121
+ "--no-suggest",
122
+ action="store_false",
123
+ default=True,
124
+ dest="suggest",
125
+ help="Disable suggest mode",
126
+ )
127
+ parser.add_argument(
128
+ "--risk-audit",
129
+ action="store_true",
130
+ default=os.getenv("ENABLE_OSS_RISK", "") in ("true", "1"),
131
+ dest="risk_audit",
132
+ help="Perform package risk audit (slow operation). Npm only.",
133
+ )
134
+ parser.add_argument(
135
+ "--cdxgen-args",
136
+ default=os.getenv("CDXGEN_ARGS"),
137
+ dest="cdxgen_args",
138
+ help="Additional arguments to pass to cdxgen",
139
+ )
140
+ parser.add_argument(
141
+ "--private-ns",
142
+ dest="private_ns",
143
+ default=os.getenv("PKG_PRIVATE_NAMESPACE"),
144
+ help="Private namespace to use while performing oss risk audit. "
145
+ "Private packages should not be available in public registries "
146
+ "by default. Comma separated values accepted.",
147
+ )
148
+ parser.add_argument(
149
+ "-t",
150
+ "--type",
151
+ nargs="+",
152
+ type=str,
153
+ dest="project_type",
154
+ default=os.getenv("DEPSCAN_PROJECT_TYPE", "universal").split(","),
155
+ help="Override project types if auto-detection is incorrect. Multiple values supported.",
156
+ )
157
+ bom_group = parser.add_mutually_exclusive_group(required=False)
158
+ bom_group.add_argument(
159
+ "--bom",
160
+ dest="bom",
161
+ help="Examine using the given Software Bill-of-Materials (SBOM) file "
162
+ "in CycloneDX format. Use cdxgen command to produce one.",
163
+ )
164
+ bom_group.add_argument(
165
+ "--bom-dir",
166
+ dest="bom_dir",
167
+ help="Examine all the Bill-of-Materials (BOM) files in the given directory.",
168
+ )
169
+ bom_group.add_argument(
170
+ "--purl",
171
+ dest="search_purl",
172
+ help="Scan a single package url.",
173
+ )
174
+ parser.add_argument(
175
+ "--report-template",
176
+ dest="report_template",
177
+ help="Jinja template file used for rendering a custom report",
178
+ )
179
+ parser.add_argument(
180
+ "--report-name",
181
+ default="rendered.report",
182
+ dest="report_name",
183
+ help="Filename of the custom report written to the --reports-dir",
184
+ )
185
+ parser.add_argument(
186
+ "--deep",
187
+ action="store_true",
188
+ default=False,
189
+ dest="deep_scan",
190
+ help="Perform deep scan by passing this --deep argument to cdxgen. "
191
+ "Useful while scanning docker images and OS packages.",
192
+ )
193
+ parser.add_argument(
194
+ "--fuzzy-search",
195
+ action="store_true",
196
+ default=False,
197
+ dest="fuzzy_search",
198
+ help="Perform fuzzy search by creating variations of package names. Use this when the input SBOM lacks a PURL.",
199
+ )
200
+ parser.add_argument(
201
+ "--search-order",
202
+ choices=(
203
+ "purl",
204
+ "pcu",
205
+ "cpe",
206
+ "cpu",
207
+ "url",
208
+ ),
209
+ default="pcu",
210
+ dest="search_order",
211
+ help="Attributes to use while searching for vulnerabilities. Default: PURL, CPE, URL (pcu).",
212
+ )
213
+ parser.add_argument(
214
+ "--no-universal",
215
+ action="store_true",
216
+ default=False,
217
+ dest="non_universal_scan",
218
+ help="Depscan would attempt to perform a single universal scan "
219
+ "instead of individual scans per language type.",
220
+ )
221
+ parser.add_argument(
222
+ "--no-vuln-table",
223
+ action="store_true",
224
+ default=False,
225
+ dest="no_vuln_table",
226
+ help="Do not print the table with the full list of vulnerabilities. "
227
+ "This can help reduce console output.",
228
+ )
229
+ parser.add_argument(
230
+ "--server",
231
+ action="store_true",
232
+ default=False,
233
+ dest="server_mode",
234
+ help="Run depscan as a server",
235
+ )
236
+ parser.add_argument(
237
+ "--server-host",
238
+ default=os.getenv("DEPSCAN_HOST", "127.0.0.1"),
239
+ dest="server_host",
240
+ help="depscan server host",
241
+ )
242
+ parser.add_argument(
243
+ "--server-port",
244
+ default=os.getenv("DEPSCAN_PORT", "7070"),
245
+ dest="server_port",
246
+ help="depscan server port",
247
+ )
248
+ parser.add_argument(
249
+ "--cdxgen-server",
250
+ default=os.getenv("CDXGEN_SERVER_URL"),
251
+ dest="cdxgen_server",
252
+ help="cdxgen server url. Eg: http://cdxgen:9090",
253
+ )
254
+ parser.add_argument(
255
+ "--debug",
256
+ action="store_true",
257
+ default=False,
258
+ dest="enable_debug",
259
+ help="Run depscan in debug mode.",
260
+ )
261
+ output_group = parser.add_mutually_exclusive_group(required=False)
262
+ output_group.add_argument(
263
+ "-q",
264
+ "--quiet",
265
+ action="store_true",
266
+ default=False,
267
+ dest="quiet",
268
+ help="Makes depscan quiet.",
269
+ )
270
+ output_group.add_argument(
271
+ "--explain",
272
+ action="store_true",
273
+ default=False,
274
+ dest="explain",
275
+ help="Makes depscan to explain the various analysis. Useful for creating detailed reports.",
276
+ )
277
+ parser.add_argument(
278
+ "--explanation-mode",
279
+ choices=(
280
+ "Endpoints",
281
+ "EndpointsAndReachables",
282
+ "NonReachables",
283
+ ),
284
+ default="EndpointsAndReachables",
285
+ dest="explanation_mode",
286
+ help="Style of explanation needed. Defaults to Endpoints and Reachables.",
287
+ )
288
+ parser.add_argument(
289
+ "--annotate",
290
+ action="store_true",
291
+ default=False,
292
+ dest="annotate",
293
+ help="Include the generated text VDR report as an annotation. Defaults to true when explain is enabled; false otherwise.",
294
+ )
295
+ parser.add_argument(
296
+ "-v",
297
+ "--version",
298
+ help="Display the version",
299
+ action="version",
300
+ version="%(prog)s " + get_version(),
301
+ )
302
+ return parser
depscan/lib/audit.py CHANGED
@@ -1,7 +1,7 @@
1
1
  from vdb.lib.npm import NpmSource
2
2
 
3
3
  from depscan.lib import config
4
- from depscan.lib.pkg_query import npm_metadata, pypi_metadata
4
+ from depscan.lib.package_query.metadata import npm_metadata, pypi_metadata, cargo_metadata
5
5
 
6
6
  # Dict mapping project type to the audit source
7
7
  type_audit_map = {"nodejs": NpmSource(), "js": NpmSource(), "javascript": NpmSource(), "ts": NpmSource(),
@@ -18,6 +18,8 @@ risk_audit_map = {
18
18
  "python": pypi_metadata,
19
19
  "py": pypi_metadata,
20
20
  "pypi": pypi_metadata,
21
+ "cargo": cargo_metadata,
22
+ "rust": cargo_metadata
21
23
  }
22
24
 
23
25