owasp-depscan 6.0.0a2__py3-none-any.whl → 6.0.0a3__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- depscan/cli.py +1 -1
- depscan/lib/bom.py +6 -10
- depscan/lib/explainer.py +43 -20
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/METADATA +2 -4
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/RECORD +9 -9
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/WHEEL +1 -1
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/entry_points.txt +0 -0
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/licenses/LICENSE +0 -0
- {owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0a3.dist-info}/top_level.txt +0 -0
depscan/cli.py
CHANGED
|
@@ -822,7 +822,7 @@ def run_depscan(args):
|
|
|
822
822
|
pkg_max_risk_score=pkg_max_risk_score,
|
|
823
823
|
risk_report_file=risk_report_file,
|
|
824
824
|
)
|
|
825
|
-
if not args.no_vuln_table and report_data:
|
|
825
|
+
if not args.no_vuln_table and report_data and rtable:
|
|
826
826
|
console.print(rtable)
|
|
827
827
|
except Exception as e:
|
|
828
828
|
LOG.error(e)
|
depscan/lib/bom.py
CHANGED
|
@@ -6,7 +6,6 @@ from collections import defaultdict
|
|
|
6
6
|
from datetime import datetime, timezone
|
|
7
7
|
from urllib.parse import unquote_plus
|
|
8
8
|
|
|
9
|
-
from blint.cyclonedx.spec import CycloneDX
|
|
10
9
|
from custom_json_diff.lib.utils import json_load, json_dump
|
|
11
10
|
from defusedxml.ElementTree import parse
|
|
12
11
|
from xbom_lib.blint import BlintGenerator
|
|
@@ -15,7 +14,6 @@ from xbom_lib.cdxgen import (
|
|
|
15
14
|
CdxgenImageBasedGenerator,
|
|
16
15
|
CdxgenServerGenerator,
|
|
17
16
|
)
|
|
18
|
-
|
|
19
17
|
from depscan.lib.logger import LOG, SPINNER, console
|
|
20
18
|
from depscan.lib.utils import cleanup_license_string
|
|
21
19
|
from typing import Dict, Optional
|
|
@@ -327,13 +325,6 @@ def create_blint_bom(
|
|
|
327
325
|
LOG.info(
|
|
328
326
|
"The blint invocation was unsuccessful. Try generating the BOM separately."
|
|
329
327
|
)
|
|
330
|
-
# Empty SBOM is fine if there are no binaries in the project.
|
|
331
|
-
elif bom_result.bom_obj and isinstance(bom_result.bom_obj, CycloneDX):
|
|
332
|
-
if (
|
|
333
|
-
not bom_result.bom_obj.components
|
|
334
|
-
and not bom_result.bom_obj.dependencies
|
|
335
|
-
):
|
|
336
|
-
LOG.debug("Empty SBOM received from blint.")
|
|
337
328
|
return bom_result.success and os.path.exists(bom_file)
|
|
338
329
|
|
|
339
330
|
|
|
@@ -418,7 +409,12 @@ def create_lifecycle_boms(cdxgen_lib, src_dir, options):
|
|
|
418
409
|
)
|
|
419
410
|
status.update("Preparing blint for post-build BOM generation.")
|
|
420
411
|
# post-build BOM with blint
|
|
421
|
-
coptions = {
|
|
412
|
+
coptions = {
|
|
413
|
+
**options,
|
|
414
|
+
"deep": False,
|
|
415
|
+
"use_blintdb": False,
|
|
416
|
+
"lifecycles": ["post-build"],
|
|
417
|
+
}
|
|
422
418
|
# What if the build directory is different to the source
|
|
423
419
|
build_dir = os.getenv("DEPSCAN_BUILD_DIR") or options.get("build_dir") or src_dir
|
|
424
420
|
res = create_blint_bom(postbuild_bom_file, build_dir, options=coptions)
|
depscan/lib/explainer.py
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import os
|
|
1
2
|
import re
|
|
2
3
|
import glob
|
|
3
4
|
from collections import defaultdict
|
|
@@ -58,6 +59,12 @@ The following endpoints and code hotspots were identified by depscan. Verify tha
|
|
|
58
59
|
else "Reachable Flows"
|
|
59
60
|
)
|
|
60
61
|
for sf in slices_files:
|
|
62
|
+
if len(slices_files) > 1:
|
|
63
|
+
fn = os.path.basename(sf)
|
|
64
|
+
section_label = f"# Explanations for {sf}"
|
|
65
|
+
if "-" in fn:
|
|
66
|
+
section_label = f"# Explanations for {fn.split('-')[0].upper()}"
|
|
67
|
+
console.print(Markdown(section_label))
|
|
61
68
|
if (reachables_data := json_load(sf, log=LOG)) and reachables_data.get(
|
|
62
69
|
"reachables"
|
|
63
70
|
):
|
|
@@ -176,11 +183,15 @@ def explain_reachables(
|
|
|
176
183
|
sink_reachable_explanations = defaultdict(int)
|
|
177
184
|
has_explanation = False
|
|
178
185
|
header_shown = False
|
|
186
|
+
has_cpp_flow = False
|
|
179
187
|
for areach in reachables.get("reachables", []):
|
|
188
|
+
cpp_flow = is_cpp_flow(areach.get("flows"))
|
|
189
|
+
if not has_cpp_flow and cpp_flow:
|
|
190
|
+
has_cpp_flow = True
|
|
180
191
|
if (
|
|
181
192
|
not areach.get("flows")
|
|
182
193
|
or len(areach.get("flows")) < 2
|
|
183
|
-
or (not areach.get("purls") and not
|
|
194
|
+
or (not areach.get("purls") and not cpp_flow)
|
|
184
195
|
):
|
|
185
196
|
continue
|
|
186
197
|
# Focus only on the prioritized list if available
|
|
@@ -207,7 +218,7 @@ def explain_reachables(
|
|
|
207
218
|
project_type,
|
|
208
219
|
vdr_result,
|
|
209
220
|
)
|
|
210
|
-
if not source_sink_desc or not flow_tree:
|
|
221
|
+
if not source_sink_desc or not flow_tree or len(flow_tree.children) < 5:
|
|
211
222
|
continue
|
|
212
223
|
# In non-reachables mode, we are not interested in reachable flows.
|
|
213
224
|
if (
|
|
@@ -282,9 +293,15 @@ def explain_reachables(
|
|
|
282
293
|
- Generate a Cryptographic BOM with cdxgen and monitor it in Dependency-Track.
|
|
283
294
|
"""
|
|
284
295
|
elif checked_flows:
|
|
285
|
-
|
|
296
|
+
if not has_cpp_flow:
|
|
297
|
+
tips += """
|
|
286
298
|
- Review the validation and sanitization methods used in the application.
|
|
287
299
|
- To enhance the security posture, implement a common validation middleware.
|
|
300
|
+
"""
|
|
301
|
+
else:
|
|
302
|
+
tips += """
|
|
303
|
+
- Continuously fuzz the parser and validation functions with diverse payloads.
|
|
304
|
+
- Generate post-build SBOMs with OWASP blint by building this project for various architecture combinations. Re-run depscan with the `--bom-dir` argument to enhance the analysis.
|
|
288
305
|
"""
|
|
289
306
|
elif purls_reachable_explanations:
|
|
290
307
|
tips += """
|
|
@@ -348,7 +365,7 @@ def flow_to_source_sink(idx, flow, purls, project_type, vdr_result):
|
|
|
348
365
|
source_sink_desc = f"Invocation: {method_full_name}"
|
|
349
366
|
elif flow.get("label") == "RETURN" and flow.get("code"):
|
|
350
367
|
source_sink_desc = flow.get("code").split("\n")[0]
|
|
351
|
-
elif project_type not in ("java") and flow.get("label") == "IDENTIFIER":
|
|
368
|
+
elif project_type not in ("java",) and flow.get("label") == "IDENTIFIER":
|
|
352
369
|
source_sink_desc = flow.get("code").split("\n")[0]
|
|
353
370
|
if source_sink_desc.endswith("("):
|
|
354
371
|
source_sink_desc = f":diamond_suit: {source_sink_desc})"
|
|
@@ -411,19 +428,21 @@ def filter_tags(tags):
|
|
|
411
428
|
|
|
412
429
|
|
|
413
430
|
def is_filterable_code(project_type, code):
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
431
|
+
if len(code) < 5:
|
|
432
|
+
return True
|
|
433
|
+
for c in (
|
|
434
|
+
"console.log",
|
|
435
|
+
"thoughtLog(",
|
|
436
|
+
"_tmp_",
|
|
437
|
+
"LOG.debug(",
|
|
438
|
+
"options.get(",
|
|
439
|
+
"RET",
|
|
440
|
+
"this.",
|
|
441
|
+
"NULL",
|
|
442
|
+
"!",
|
|
443
|
+
):
|
|
444
|
+
if code and code.startswith(c):
|
|
445
|
+
return True
|
|
427
446
|
return False
|
|
428
447
|
|
|
429
448
|
|
|
@@ -440,17 +459,21 @@ def flow_to_str(explanation_mode, flow, project_type):
|
|
|
440
459
|
node_desc = flow.get("code").split("\n")[0]
|
|
441
460
|
if node_desc.endswith("("):
|
|
442
461
|
node_desc = f":diamond_suit: {node_desc})"
|
|
462
|
+
elif node_desc.startswith("return "):
|
|
463
|
+
node_desc = f":arrow_backward: [italic]{node_desc}[/italic]"
|
|
443
464
|
tags = filter_tags(flow.get("tags"))
|
|
444
|
-
if flow.get("label")
|
|
465
|
+
if flow.get("label") in ("METHOD_PARAMETER_IN",):
|
|
445
466
|
param_name = flow.get("name")
|
|
446
467
|
if param_name == "this":
|
|
447
468
|
param_name = ""
|
|
448
469
|
node_desc = f"{flow.get('parentMethodName')}([red]{param_name}[/red]) :right_arrow_curving_left:"
|
|
449
470
|
if tags:
|
|
450
471
|
node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
|
|
451
|
-
elif flow.get("label")
|
|
472
|
+
elif flow.get("label") in ("IDENTIFIER", "CALL"):
|
|
452
473
|
if node_desc.startswith("<"):
|
|
453
474
|
node_desc = flow.get("name")
|
|
475
|
+
if flow.get("isExternal"):
|
|
476
|
+
node_desc = f"{node_desc} :right_arrow_curving_up:"
|
|
454
477
|
if tags:
|
|
455
478
|
node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
|
|
456
479
|
if tags and not is_filterable_code(project_type, node_desc):
|
|
@@ -518,7 +541,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
|
|
|
518
541
|
file_loc, flow_str, node_desc, has_check_tag_flow = flow_to_str(
|
|
519
542
|
explanation_mode, aflow, project_type
|
|
520
543
|
)
|
|
521
|
-
if last_file_loc and last_file_loc == file_loc:
|
|
544
|
+
if not flow_str or (last_file_loc and last_file_loc == file_loc):
|
|
522
545
|
continue
|
|
523
546
|
last_file_loc = file_loc
|
|
524
547
|
if flow_str in added_flows or node_desc in added_node_desc:
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: owasp-depscan
|
|
3
|
-
Version: 6.0.
|
|
3
|
+
Version: 6.0.0a3
|
|
4
4
|
Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
|
|
5
5
|
Author-email: Team AppThreat <cloud@appthreat.com>
|
|
6
6
|
License-Expression: MIT
|
|
@@ -28,7 +28,7 @@ Requires-Dist: rich>=14.0.0
|
|
|
28
28
|
Requires-Dist: Jinja2>=3.1.6
|
|
29
29
|
Requires-Dist: packageurl-python>=0.16.0
|
|
30
30
|
Requires-Dist: cvss>=3.4
|
|
31
|
-
Requires-Dist: tomli>=2.2.1
|
|
31
|
+
Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
|
|
32
32
|
Requires-Dist: ds-xbom-lib
|
|
33
33
|
Requires-Dist: ds-analysis-lib
|
|
34
34
|
Provides-Extra: dev
|
|
@@ -147,8 +147,6 @@ Always stay a step ahead with advanced vulnerability and exploit prediction.
|
|
|
147
147
|
- Chainguard
|
|
148
148
|
- Wolfi OS
|
|
149
149
|
|
|
150
|
-
Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
|
|
151
|
-
|
|
152
150
|
## Quick Start
|
|
153
151
|
|
|
154
152
|
dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
depscan/__init__.py,sha256=u_HyD63vlgVi48bUU6bI8O1fdXJOLPaNwCrMJdCnzJE,165
|
|
2
|
-
depscan/cli.py,sha256=
|
|
2
|
+
depscan/cli.py,sha256=bGTNQ6PV_GNz2YG-cGNJL57t4Ekkjr2l5FYsXKLJsAs,40885
|
|
3
3
|
depscan/cli_options.py,sha256=zKje-zoM0OjCVW0pC6cRWb_8D6T-R1PTSjfGBjmSzZ8,9468
|
|
4
4
|
depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
5
5
|
depscan/lib/audit.py,sha256=i6sE-vN0Fk5gc-npHIhrrior4772_tTlPVAlznyuogo,1582
|
|
6
|
-
depscan/lib/bom.py,sha256=
|
|
6
|
+
depscan/lib/bom.py,sha256=OUFESoyPmYz0Igm9zoLn8ap6dLUJdQUb1VFN8i5lEgE,20823
|
|
7
7
|
depscan/lib/config.py,sha256=v3Rv4nyPMjvk-EbpWSSYcloQa4v2N0bTzXKWF5nDJvg,9572
|
|
8
|
-
depscan/lib/explainer.py,sha256=
|
|
8
|
+
depscan/lib/explainer.py,sha256=Gw1So2sQ9qNbKYxJ0mx1KEraEltuYX284Cxy1MQeMrY,21165
|
|
9
9
|
depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
|
|
10
10
|
depscan/lib/license.py,sha256=ChwqAXPrMcDQJqSgDag7Th8VwoRCq8oMvwPt64iL4gw,2404
|
|
11
11
|
depscan/lib/logger.py,sha256=gU5epbOHlhvuFhMqRTgn71AJ4KPB5Gf2iAmgTx3qI-4,2837
|
|
@@ -17,7 +17,7 @@ depscan/lib/package_query/metadata.py,sha256=Nnh6ctLIXPRTMoHOjZC7uhmFM3ogGljg22d
|
|
|
17
17
|
depscan/lib/package_query/npm_pkg.py,sha256=eXdTeq1ffxLN3fWfMh3QcGG1u0VYLGR4-0BmVoD5BPk,15443
|
|
18
18
|
depscan/lib/package_query/pkg_query.py,sha256=ODnRegpD3gv5FIKy0ogXMEITcdfVVV-eoIaWf7UhrQU,7038
|
|
19
19
|
depscan/lib/package_query/pypi_pkg.py,sha256=scn6UhMWqA0ajS-u5UVMGV7Vx-6PEY75lN6uET9yU5c,4808
|
|
20
|
-
owasp_depscan-6.0.
|
|
20
|
+
owasp_depscan-6.0.0a3.dist-info/licenses/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
|
|
21
21
|
vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
22
22
|
vendor/choosealicense.com/_data/fields.yml,sha256=ydNsITXFUuADzGPM-jcUcJnN0r_qSGgH51oV27nX3Qs,819
|
|
23
23
|
vendor/choosealicense.com/_data/meta.yml,sha256=rSNmnx0LE6VA9wnR29Y_P9s-TnADQqbdw2enE4i1mWM,1792
|
|
@@ -70,8 +70,8 @@ vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7
|
|
|
70
70
|
vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
|
|
71
71
|
vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
|
|
72
72
|
vendor/spdx/json/licenses.json,sha256=66zBMswN5ufUL8M9TIMV0PQH9aZK_X5mtHm3OkwKmVU,314245
|
|
73
|
-
owasp_depscan-6.0.
|
|
74
|
-
owasp_depscan-6.0.
|
|
75
|
-
owasp_depscan-6.0.
|
|
76
|
-
owasp_depscan-6.0.
|
|
77
|
-
owasp_depscan-6.0.
|
|
73
|
+
owasp_depscan-6.0.0a3.dist-info/METADATA,sha256=PNMzv77rY6OnnLcFgiZAhIU03rKYFblllVl7M_CTV14,17394
|
|
74
|
+
owasp_depscan-6.0.0a3.dist-info/WHEEL,sha256=DnLRTWE75wApRYVsjgc6wsVswC54sMSJhAEd4xhDpBk,91
|
|
75
|
+
owasp_depscan-6.0.0a3.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
|
|
76
|
+
owasp_depscan-6.0.0a3.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
|
|
77
|
+
owasp_depscan-6.0.0a3.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|