owasp-depscan 5.4.8__tar.gz → 5.5.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (89) hide show
  1. {owasp_depscan-5.4.8/owasp_depscan.egg-info → owasp_depscan-5.5.0}/PKG-INFO +2 -2
  2. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/analysis.py +28 -24
  3. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0/owasp_depscan.egg-info}/PKG-INFO +2 -2
  4. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/requires.txt +1 -1
  5. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/pyproject.toml +2 -2
  6. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_analysis.py +19 -2
  7. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/LICENSE +0 -0
  8. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/MANIFEST.in +0 -0
  9. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/README.md +0 -0
  10. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/__init__.py +0 -0
  11. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/cli.py +0 -0
  12. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/__init__.py +0 -0
  13. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/audit.py +0 -0
  14. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/bom.py +0 -0
  15. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/config.py +0 -0
  16. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/csaf.py +0 -0
  17. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/explainer.py +0 -0
  18. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/github.py +0 -0
  19. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/license.py +0 -0
  20. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/logger.py +0 -0
  21. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/normalize.py +0 -0
  22. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/orasclient.py +0 -0
  23. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/pkg_query.py +0 -0
  24. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/utils.py +0 -0
  25. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/SOURCES.txt +0 -0
  26. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/dependency_links.txt +0 -0
  27. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/entry_points.txt +0 -0
  28. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/top_level.txt +0 -0
  29. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/setup.cfg +0 -0
  30. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_bom.py +0 -0
  31. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_csaf.py +0 -0
  32. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_explainer.py +0 -0
  33. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_github.py +0 -0
  34. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_license.py +0 -0
  35. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_norm.py +0 -0
  36. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_pkg_query.py +0 -0
  37. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_utils.py +0 -0
  38. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/__init__.py +0 -0
  39. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/fields.yml +0 -0
  40. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/meta.yml +0 -0
  41. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_data/rules.yml +0 -0
  42. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/0bsd.txt +0 -0
  43. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/afl-3.0.txt +0 -0
  44. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/agpl-3.0.txt +0 -0
  45. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/apache-2.0.txt +0 -0
  46. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/artistic-2.0.txt +0 -0
  47. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt +0 -0
  48. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-2-clause-patent.txt +0 -0
  49. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-2-clause.txt +0 -0
  50. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt +0 -0
  51. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-3-clause.txt +0 -0
  52. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsd-4-clause.txt +0 -0
  53. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/bsl-1.0.txt +0 -0
  54. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc-by-4.0.txt +0 -0
  55. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc-by-sa-4.0.txt +0 -0
  56. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cc0-1.0.txt +0 -0
  57. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cecill-2.1.txt +0 -0
  58. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-p-2.0.txt +0 -0
  59. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-s-2.0.txt +0 -0
  60. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/cern-ohl-w-2.0.txt +0 -0
  61. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ecl-2.0.txt +0 -0
  62. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/epl-1.0.txt +0 -0
  63. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/epl-2.0.txt +0 -0
  64. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/eupl-1.1.txt +0 -0
  65. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/eupl-1.2.txt +0 -0
  66. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gfdl-1.3.txt +0 -0
  67. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gpl-2.0.txt +0 -0
  68. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/gpl-3.0.txt +0 -0
  69. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/isc.txt +0 -0
  70. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lgpl-2.1.txt +0 -0
  71. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lgpl-3.0.txt +0 -0
  72. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/lppl-1.3c.txt +0 -0
  73. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mit-0.txt +0 -0
  74. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mit.txt +0 -0
  75. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mpl-2.0.txt +0 -0
  76. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ms-pl.txt +0 -0
  77. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ms-rl.txt +0 -0
  78. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/mulanpsl-2.0.txt +0 -0
  79. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ncsa.txt +0 -0
  80. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/odbl-1.0.txt +0 -0
  81. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/ofl-1.1.txt +0 -0
  82. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/osl-3.0.txt +0 -0
  83. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/postgresql.txt +0 -0
  84. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/unlicense.txt +0 -0
  85. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/upl-1.0.txt +0 -0
  86. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/vim.txt +0 -0
  87. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/wtfpl.txt +0 -0
  88. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/choosealicense.com/_licenses/zlib.txt +0 -0
  89. {owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/vendor/spdx/json/licenses.json +0 -0
{owasp_depscan-5.4.8/owasp_depscan.egg-info → owasp_depscan-5.5.0}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.8
3
+ Version: 5.5.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.8
23
+ Requires-Dist: appthreat-vulnerability-db==5.8.1
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/depscan/lib/analysis.py RENAMED
@@ -19,7 +19,7 @@ from rich.table import Table
19
19
  from rich.tree import Tree
20
20
  from vdb.lib import CPE_FULL_REGEX
21
21
  from vdb.lib.config import placeholder_exclude_version, placeholder_fix_version
22
- from vdb.lib.utils import parse_cpe, parse_purl
22
+ from vdb.lib.utils import get_cvss3_from_vector, get_cvss4_from_vector, parse_cpe, parse_purl
23
23
 
24
24
  from depscan.lib import config
25
25
  from depscan.lib.logger import LOG, console
@@ -336,6 +336,11 @@ def prepare_vdr(options: PrepareVdrOptions):
336
336
  justify = "right"
337
337
  table.add_column(header=h, justify=justify, vertical="top")
338
338
  for vuln_occ_dict in options.results:
339
+ # If CVSS v4 data is available, override the severity and cvss_score
340
+ if vuln_occ_dict.get("cvss4_vector_string"):
341
+ cvss4_obj = get_cvss4_from_vector(vuln_occ_dict.get("cvss4_vector_string"))
342
+ vuln_occ_dict["cvss_score"] = cvss4_obj.get("baseScore")
343
+ vuln_occ_dict["severity"] = cvss4_obj.get("baseSeverity").upper()
339
344
  vid = vuln_occ_dict.get("id")
340
345
  problem_type = vuln_occ_dict.get("problem_type")
341
346
  cwes = []
@@ -1026,34 +1031,33 @@ def cvss_to_vdr_rating(vuln_occ_dict):
1026
1031
 
1027
1032
  :return: A list containing a dictionary with CVSS score information.
1028
1033
  """
1029
- cvss_score = vuln_occ_dict.get("cvss_score", 2.0)
1030
- with contextlib.suppress(ValueError, TypeError):
1031
- cvss_score = float(cvss_score)
1032
- if (pkg_severity := vuln_occ_dict.get("severity", "").lower()) not in (
1033
- "critical",
1034
- "high",
1035
- "medium",
1036
- "low",
1037
- "info",
1038
- "none",
1039
- ):
1040
- pkg_severity = "unknown"
1041
- ratings = [
1042
- {
1043
- "score": cvss_score,
1044
- "severity": pkg_severity,
1045
- }
1046
- ]
1047
- method = "31"
1034
+ ratings = []
1035
+ # Support for cvss v4
1036
+ if vuln_occ_dict.get("cvss4_vector_string") and (vector_string := vuln_occ_dict.get("cvss4_vector_string")):
1037
+ cvss4_obj = get_cvss4_from_vector(vector_string)
1038
+ ratings.append(
1039
+ {
1040
+ "method": "CVSSv4",
1041
+ "score": cvss4_obj.get("baseScore"),
1042
+ "severity": cvss4_obj.get("baseSeverity").lower(),
1043
+ "vector": vector_string
1044
+ }
1045
+ )
1048
1046
  if vuln_occ_dict.get("cvss_v3") and (
1049
1047
  vector_string := vuln_occ_dict["cvss_v3"].get("vector_string")
1050
1048
  ):
1051
- ratings[0]["vector"] = vector_string
1052
1049
  with contextlib.suppress(CVSSError):
1053
- method = cvss.CVSS3(vector_string).as_json().get("version")
1050
+ cvss3_obj = get_cvss3_from_vector(vector_string)
1051
+ method = cvss3_obj.get("version")
1054
1052
  method = method.replace(".", "").replace("0", "")
1055
- ratings[0]["method"] = f"CVSSv{method}"
1056
-
1053
+ ratings.append(
1054
+ {
1055
+ "method": f"CVSSv{method}",
1056
+ "score": cvss3_obj.get("baseScore"),
1057
+ "severity": cvss3_obj.get("baseSeverity").lower(),
1058
+ "vector": vector_string
1059
+ }
1060
+ )
1057
1061
  return ratings
1058
1062
 
1059
1063
 
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0/owasp_depscan.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.1
2
2
  Name: owasp-depscan
3
- Version: 5.4.8
3
+ Version: 5.5.0
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
20
20
  Requires-Python: >=3.8
21
21
  Description-Content-Type: text/markdown
22
22
  License-File: LICENSE
23
- Requires-Dist: appthreat-vulnerability-db==5.7.8
23
+ Requires-Dist: appthreat-vulnerability-db==5.8.1
24
24
  Requires-Dist: defusedxml
25
25
  Requires-Dist: oras~=0.1.26
26
26
  Requires-Dist: PyYAML
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/owasp_depscan.egg-info/requires.txt RENAMED
@@ -1,4 +1,4 @@
1
- appthreat-vulnerability-db==5.7.8
1
+ appthreat-vulnerability-db==5.8.1
2
2
  defusedxml
3
3
  oras~=0.1.26
4
4
  PyYAML
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/pyproject.toml RENAMED
@@ -1,12 +1,12 @@
1
1
  [project]
2
2
  name = "owasp-depscan"
3
- version = "5.4.8"
3
+ version = "5.5.0"
4
4
  description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
5
5
  authors = [
6
6
  {name = "Team AppThreat", email = "cloud@appthreat.com"},
7
7
  ]
8
8
  dependencies = [
9
- "appthreat-vulnerability-db==5.7.8",
9
+ "appthreat-vulnerability-db==5.8.1",
10
10
  "defusedxml",
11
11
  "oras~=0.1.26",
12
12
  "PyYAML",
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/test/test_analysis.py RENAMED
@@ -708,8 +708,7 @@ def test_cvss_to_vdr_rating():
708
708
  "severity": "HIGH",
709
709
  }
710
710
  # Test missing score and vector string
711
- assert cvss_to_vdr_rating(res) == [
712
- {'method': 'CVSSv31', 'score': 2.0, 'severity': 'high'}]
711
+ assert cvss_to_vdr_rating(res) == []
713
712
  # Test parsing
714
713
  res["cvss_v3"]["vector_string"] = ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I"
715
714
  ":N/A:H")
@@ -729,6 +728,24 @@ def test_cvss_to_vdr_rating():
729
728
  'severity': 'high',
730
729
  'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'
731
730
  }]
731
+ assert cvss_to_vdr_rating({
732
+ "cvss_v3": {
733
+ "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"
734
+ },
735
+ "cvss4_vector_string": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"
736
+ }) == [{
737
+ 'method': 'CVSSv4',
738
+ 'score': 7.9,
739
+ 'severity': 'high',
740
+ 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H'
741
+ },
742
+ {
743
+ 'method': 'CVSSv31',
744
+ 'score': 10.0,
745
+ 'severity': 'critical',
746
+ 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'
747
+ }
748
+ ]
732
749
 
733
750
 
734
751
  def test_get_version_range():
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/LICENSE RENAMED
File without changes
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/MANIFEST.in RENAMED
File without changes
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/README.md RENAMED
File without changes
{owasp_depscan-5.4.8 → owasp_depscan-5.5.0}/setup.cfg RENAMED
File without changes