owasp-depscan 6.0.0a2__py3-none-any.whl → 6.0.0b2__py3-none-any.whl

depscan/cli.py

@@ -54,6 +54,7 @@ from depscan.lib.config import (
 from depscan.lib.license import build_license_data, bulk_lookup
 from depscan.lib.logger import DEBUG, LOG, SPINNER, console, IS_CI
 
+from reporting_lib.htmlgen import ReportGenerator
 if sys.platform == "win32" and os.environ.get("PYTHONIOENCODING") is None:
     sys.stdin.reconfigure(encoding="utf-8")
     sys.stdout.reconfigure(encoding="utf-8")
@@ -617,15 +618,11 @@ def run_depscan(args):
     html_report_file = depscan_options.get(
         "html_report_file", os.path.join(reports_dir, "depscan.html")
     )
-    pdf_report_file = depscan_options.get(
-        "pdf_report_file", os.path.join(reports_dir, "depscan.pdf")
-    )
     txt_report_file = depscan_options.get(
         "txt_report_file", os.path.join(reports_dir, "depscan.txt")
     )
     run_config_file = os.path.join(reports_dir, "depscan.toml.sample")
     depscan_options["html_report_file"] = html_report_file
-    depscan_options["pdf_report_file"] = pdf_report_file
     depscan_options["txt_report_file"] = txt_report_file
     # Create reports directory
     if reports_dir and not os.path.exists(reports_dir):
@@ -822,7 +819,7 @@ def run_depscan(args):
                     pkg_max_risk_score=pkg_max_risk_score,
                     risk_report_file=risk_report_file,
                 )
-                if not args.no_vuln_table and report_data:
+                if not args.no_vuln_table and report_data and rtable:
                     console.print(rtable)
             except Exception as e:
                 LOG.error(e)
@@ -975,7 +972,9 @@ def run_depscan(args):
         theme=(MONOKAI if os.getenv("USE_DARK_THEME") else DEFAULT_TERMINAL_THEME),
     )
     console.save_text(txt_report_file, clear=False)
-    utils.export_pdf(html_report_file, pdf_report_file)
+    # Prettify the rich html report
+    html_report_generator = ReportGenerator(input_rich_html_path=html_report_file, report_output_path=html_report_file, raw_content=False)
+    html_report_generator.parse_and_generate_report()
     # This logic needs refactoring
     # render report into template if wished
     if args.report_template and os.path.isfile(args.report_template):

depscan/lib/bom.py

@@ -6,7 +6,6 @@ from collections import defaultdict
 from datetime import datetime, timezone
 from urllib.parse import unquote_plus
 
-from blint.cyclonedx.spec import CycloneDX
 from custom_json_diff.lib.utils import json_load, json_dump
 from defusedxml.ElementTree import parse
 from xbom_lib.blint import BlintGenerator
@@ -15,7 +14,6 @@ from xbom_lib.cdxgen import (
     CdxgenImageBasedGenerator,
     CdxgenServerGenerator,
 )
-
 from depscan.lib.logger import LOG, SPINNER, console
 from depscan.lib.utils import cleanup_license_string
 from typing import Dict, Optional
@@ -327,13 +325,6 @@ def create_blint_bom(
             LOG.info(
                 "The blint invocation was unsuccessful. Try generating the BOM separately."
             )
-        # Empty SBOM is fine if there are no binaries in the project.
-        elif bom_result.bom_obj and isinstance(bom_result.bom_obj, CycloneDX):
-            if (
-                not bom_result.bom_obj.components
-                and not bom_result.bom_obj.dependencies
-            ):
-                LOG.debug("Empty SBOM received from blint.")
         return bom_result.success and os.path.exists(bom_file)
 
 
@@ -418,7 +409,12 @@ def create_lifecycle_boms(cdxgen_lib, src_dir, options):
             )
         status.update("Preparing blint for post-build BOM generation.")
     # post-build BOM with blint
-    coptions = {**options, "deep": False, "use_blintdb": False, "lifecycles": ["post-build"]}
+    coptions = {
+        **options,
+        "deep": False,
+        "use_blintdb": False,
+        "lifecycles": ["post-build"],
+    }
     # What if the build directory is different to the source
     build_dir = os.getenv("DEPSCAN_BUILD_DIR") or options.get("build_dir") or src_dir
     res = create_blint_bom(postbuild_bom_file, build_dir, options=coptions)

depscan/lib/explainer.py

@@ -1,3 +1,4 @@
+import os
 import re
 import glob
 from collections import defaultdict
@@ -46,9 +47,14 @@ def explain(project_type, src_dir, bom_dir, vdr_file, vdr_result, explanation_mo
         rsection = Markdown("""## Service Endpoints
 
 The following endpoints and code hotspots were identified by depscan. Verify that proper authentication and authorization mechanisms are in place to secure them.""")
-        console.print(rsection)
+        any_endpoints_shown = False
         for ospec in openapi_spec_files:
-            pattern_methods = print_endpoints(ospec)
+            pattern_methods = print_endpoints(
+                ospec, rsection if not any_endpoints_shown else None
+            )
+            if not any_endpoints_shown and pattern_methods:
+                any_endpoints_shown = True
+
     # Return early for endpoints only explanations
     if explanation_mode in ("Endpoints",):
         return
@@ -58,6 +64,12 @@ The following endpoints and code hotspots were identified by depscan. Verify tha
         else "Reachable Flows"
     )
     for sf in slices_files:
+        if len(slices_files) > 1:
+            fn = os.path.basename(sf)
+            section_label = f"# Explanations for {sf}"
+            if "-" in fn:
+                section_label = f"# Explanations for {fn.split('-')[0].upper()}"
+            console.print(Markdown(section_label))
         if (reachables_data := json_load(sf, log=LOG)) and reachables_data.get(
             "reachables"
         ):
@@ -102,7 +114,7 @@ def _track_usage_targets(usage_targets, usages_object):
                 usage_targets.add(f"{file}#{l}")
 
 
-def print_endpoints(ospec):
+def print_endpoints(ospec, header_section=None):
     if not ospec:
         return
     paths = json_load(ospec).get("paths") or {}
@@ -144,6 +156,9 @@ def print_endpoints(ospec):
         sorted_areas.sort()
         rtable.add_row(k, ("\n".join(v)).upper(), "\n".join(sorted_areas))
     if pattern_methods:
+        # Print the header section
+        if header_section:
+            console.print(header_section)
         console.print()
         console.print(rtable)
     return pattern_methods
@@ -171,28 +186,26 @@ def explain_reachables(
     reachable_explanations = 0
     checked_flows = 0
     has_crypto_flows = False
+    explained_ids = {}
     purls_reachable_explanations = defaultdict(int)
     source_reachable_explanations = defaultdict(int)
     sink_reachable_explanations = defaultdict(int)
     has_explanation = False
     header_shown = False
+    has_cpp_flow = False
     for areach in reachables.get("reachables", []):
+        cpp_flow = is_cpp_flow(areach.get("flows"))
+        if not has_cpp_flow and cpp_flow:
+            has_cpp_flow = True
         if (
             not areach.get("flows")
             or len(areach.get("flows")) < 2
-            or (not areach.get("purls") and not is_cpp_flow(areach.get("flows")))
+            or (not areach.get("purls") and not cpp_flow)
         ):
             continue
-        # Focus only on the prioritized list if available
-        # if project_type in ("java",) and pkg_group_rows:
-        #     is_prioritized = False
-        #     for apurl in areach.get("purls"):
-        #         if pkg_group_rows.get(apurl):
-        #             is_prioritized = True
-        #     if not is_prioritized:
-        #         continue
         (
             flow_tree,
+            added_ids,
             comment,
             source_sink_desc,
             source_code_str,
@@ -207,7 +220,13 @@ def explain_reachables(
             project_type,
             vdr_result,
         )
-        if not source_sink_desc or not flow_tree:
+        # The goal is to reduce duplicate explanations by checking if a given flow is similar to one we have explained
+        # before. We do this by checking the node ids, source-sink explanations, purl tags and so on.
+        added_ids_str = "-".join(added_ids)
+        # Have we seen this sequence before?
+        if explained_ids.get(added_ids_str) or len(added_ids) < 4:
+            continue
+        if not source_sink_desc or not flow_tree or len(flow_tree.children) < 4:
             continue
         # In non-reachables mode, we are not interested in reachable flows.
         if (
@@ -258,6 +277,7 @@ def explain_reachables(
             header_shown = True
         console.print()
         console.print(rtable)
+        explained_ids[added_ids_str] = True
         reachable_explanations += 1
         if purls_str:
             purls_reachable_explanations[purls_str] += 1
@@ -282,9 +302,15 @@ def explain_reachables(
 - Generate a Cryptographic BOM with cdxgen and monitor it in Dependency-Track.
 """
         elif checked_flows:
-            tips += """
+            if not has_cpp_flow:
+                tips += """
 - Review the validation and sanitization methods used in the application.
 - To enhance the security posture, implement a common validation middleware.
+"""
+            else:
+                tips += """
+- Continuously fuzz the parser and validation functions with diverse payloads.
+- Generate post-build SBOMs with OWASP blint by building this project for various architecture combinations. Re-run depscan with the `--bom-dir` argument to enhance the analysis.
 """
         elif purls_reachable_explanations:
             tips += """
@@ -348,7 +374,7 @@ def flow_to_source_sink(idx, flow, purls, project_type, vdr_result):
             source_sink_desc = f"Invocation: {method_full_name}"
     elif flow.get("label") == "RETURN" and flow.get("code"):
         source_sink_desc = flow.get("code").split("\n")[0]
-    elif project_type not in ("java") and flow.get("label") == "IDENTIFIER":
+    elif project_type not in ("java",) and flow.get("label") == "IDENTIFIER":
         source_sink_desc = flow.get("code").split("\n")[0]
         if source_sink_desc.endswith("("):
             source_sink_desc = f":diamond_suit: {source_sink_desc})"
@@ -411,19 +437,21 @@ def filter_tags(tags):
 
 
 def is_filterable_code(project_type, code):
-    match project_type:
-        case "js" | "ts" | "javascript" | "typescript" | "bom":
-            for c in (
-                "console.log",
-                "thoughtLog(",
-                "_tmp_",
-                "LOG.debug(",
-                "options.get(",
-                "RET",
-                "this.",
-            ):
-                if code and code.startswith(c):
-                    return True
+    if len(code) < 3:
+        return True
+    for c in (
+        "console.log",
+        "thoughtLog(",
+        "_tmp_",
+        "LOG.debug(",
+        "options.get(",
+        "RET",
+        "this.",
+        "NULL",
+        "!",
+    ):
+        if code and code.startswith(c):
+            return True
     return False
 
 
@@ -436,21 +464,33 @@ def flow_to_str(explanation_mode, flow, project_type):
         and flow.get("lineNumber")
         and not flow.get("parentFileName").startswith("unknown")
     ):
-        file_loc = f"{flow.get('parentFileName').replace('src/main/java/', '').replace('src/main/scala/', '')}#{flow.get('lineNumber')}    "
+        # strip common prefixes
+        name = flow.get('parentFileName', '')
+        for p in ('src/main/java/', 'src/main/scala/'):
+            name = name.removeprefix(p)
+        file_loc = f"{name}#{flow.get('lineNumber')}    "
     node_desc = flow.get("code").split("\n")[0]
+    if (len(node_desc) < 3 or node_desc.endswith("{")) and len(flow.get("code")) > 3:
+        node_desc = " ".join(flow.get("code", "").split())
+        if "(" in node_desc:
+            node_desc = node_desc.split("(")[0] + "() ..."
     if node_desc.endswith("("):
         node_desc = f":diamond_suit: {node_desc})"
+    elif node_desc.startswith("return "):
+        node_desc = f":arrow_backward: [italic]{node_desc}[/italic]"
     tags = filter_tags(flow.get("tags"))
-    if flow.get("label") == "METHOD_PARAMETER_IN":
+    if flow.get("label") in ("METHOD_PARAMETER_IN",):
         param_name = flow.get("name")
         if param_name == "this":
             param_name = ""
         node_desc = f"{flow.get('parentMethodName')}([red]{param_name}[/red]) :right_arrow_curving_left:"
         if tags:
             node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
-    elif flow.get("label") == "IDENTIFIER":
+    elif flow.get("label") in ("IDENTIFIER", "CALL"):
         if node_desc.startswith("<"):
             node_desc = flow.get("name")
+        if flow.get("isExternal"):
+            node_desc = f"{node_desc} :right_arrow_curving_up:"
         if tags:
             node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
     if tags and not is_filterable_code(project_type, node_desc):
@@ -487,6 +527,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
     if purls:
         purls_str = "\n".join(purls)
         comments.append(f"[info]Reachable Packages:[/info]\n{purls_str}")
+    added_ids = []
     added_flows = []
     added_node_desc = []
     has_check_tag = False
@@ -518,12 +559,13 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
         file_loc, flow_str, node_desc, has_check_tag_flow = flow_to_str(
             explanation_mode, aflow, project_type
         )
-        if last_file_loc and last_file_loc == file_loc:
+        if not flow_str or (last_file_loc and last_file_loc == file_loc):
             continue
         last_file_loc = file_loc
         if flow_str in added_flows or node_desc in added_node_desc:
             continue
         added_flows.append(flow_str)
+        added_ids.append(str(aflow.get("id", "")))
         added_node_desc.append(node_desc)
         if not tree:
             tree = Tree(flow_str)
@@ -538,6 +580,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
         )
     return (
         tree,
+        added_ids,
         "\n".join(comments),
         source_sink_desc,
         source_code_str,

{owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0b2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: owasp-depscan
-Version: 6.0.0a2
+Version: 6.0.0b2
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License-Expression: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db[oras]
+Requires-Dist: appthreat-vulnerability-db[oras]>=6.4.3
 Requires-Dist: custom-json-diff>=2.1.6
 Requires-Dist: defusedxml>=0.7.1
 Requires-Dist: PyYAML>=6.0.2
@@ -28,9 +28,10 @@ Requires-Dist: rich>=14.0.0
 Requires-Dist: Jinja2>=3.1.6
 Requires-Dist: packageurl-python>=0.16.0
 Requires-Dist: cvss>=3.4
-Requires-Dist: tomli>=2.2.1
+Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
 Requires-Dist: ds-xbom-lib
 Requires-Dist: ds-analysis-lib
+Requires-Dist: ds-reporting-lib
 Provides-Extra: dev
 Requires-Dist: black>=25.1.0; extra == "dev"
 Requires-Dist: flake8>=7.1.2; extra == "dev"
@@ -147,8 +148,6 @@ Always stay a step ahead with advanced vulnerability and exploit prediction.
 - Chainguard
 - Wolfi OS
 
-Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
-
 ## Quick Start
 
 dep-scan is ideal for use during continuous integration (CI) and as a local development tool.

{owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0b2.dist-info}/RECORD

@@ -1,11 +1,11 @@
 depscan/__init__.py,sha256=u_HyD63vlgVi48bUU6bI8O1fdXJOLPaNwCrMJdCnzJE,165
-depscan/cli.py,sha256=ojbK1tX3dPPNdWmPV8uTtY4oto4vgewl6gNlurw9ZGA,40874
+depscan/cli.py,sha256=KULqCzhgQJ6OBXP4gUo7QIXJi1ZvOudzacw-6PRHx5I,40934
 depscan/cli_options.py,sha256=zKje-zoM0OjCVW0pC6cRWb_8D6T-R1PTSjfGBjmSzZ8,9468
 depscan/lib/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 depscan/lib/audit.py,sha256=i6sE-vN0Fk5gc-npHIhrrior4772_tTlPVAlznyuogo,1582
-depscan/lib/bom.py,sha256=9Y_Xo-q2U9Q8ZTb47XoYX_E4GTfryAFhXUTKHb48X2U,21176
+depscan/lib/bom.py,sha256=OUFESoyPmYz0Igm9zoLn8ap6dLUJdQUb1VFN8i5lEgE,20823
 depscan/lib/config.py,sha256=v3Rv4nyPMjvk-EbpWSSYcloQa4v2N0bTzXKWF5nDJvg,9572
-depscan/lib/explainer.py,sha256=7YOTMqlkdJj4tuJ8Wbtpw9wQDM8W8K5kiPFaxgQ9eVI,20230
+depscan/lib/explainer.py,sha256=yyGE7FwXmzcTniYewHBSkxtfgR6wilG5KXn6WgyyiWY,22018
 depscan/lib/github.py,sha256=h6e_12xLwspXJbt_7lW6vuHaqgJQgyFSRCLrfUndCH4,1697
 depscan/lib/license.py,sha256=ChwqAXPrMcDQJqSgDag7Th8VwoRCq8oMvwPt64iL4gw,2404
 depscan/lib/logger.py,sha256=gU5epbOHlhvuFhMqRTgn71AJ4KPB5Gf2iAmgTx3qI-4,2837
@@ -17,7 +17,7 @@ depscan/lib/package_query/metadata.py,sha256=Nnh6ctLIXPRTMoHOjZC7uhmFM3ogGljg22d
 depscan/lib/package_query/npm_pkg.py,sha256=eXdTeq1ffxLN3fWfMh3QcGG1u0VYLGR4-0BmVoD5BPk,15443
 depscan/lib/package_query/pkg_query.py,sha256=ODnRegpD3gv5FIKy0ogXMEITcdfVVV-eoIaWf7UhrQU,7038
 depscan/lib/package_query/pypi_pkg.py,sha256=scn6UhMWqA0ajS-u5UVMGV7Vx-6PEY75lN6uET9yU5c,4808
-owasp_depscan-6.0.0a2.dist-info/licenses/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
+owasp_depscan-6.0.0b2.dist-info/licenses/LICENSE,sha256=oQnCbnZtJ_NLDdOLc-rVY1D1N0RNWLHPpYXcc77xzSo,1073
 vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 vendor/choosealicense.com/_data/fields.yml,sha256=ydNsITXFUuADzGPM-jcUcJnN0r_qSGgH51oV27nX3Qs,819
 vendor/choosealicense.com/_data/meta.yml,sha256=rSNmnx0LE6VA9wnR29Y_P9s-TnADQqbdw2enE4i1mWM,1792
@@ -69,9 +69,9 @@ vendor/choosealicense.com/_licenses/upl-1.0.txt,sha256=yJ3mfZkFmzSHesz6uOF9S0fX6
 vendor/choosealicense.com/_licenses/vim.txt,sha256=d5GQjXB328L8EBkhKgxcjk344D3K7UfcJmP1barrhHI,6119
 vendor/choosealicense.com/_licenses/wtfpl.txt,sha256=BxXeubkvQm32MDmlZsBcbzJzBpR5kWgw0JxSR9d7f3k,948
 vendor/choosealicense.com/_licenses/zlib.txt,sha256=e6dfCeLhxD3NCnIkY4cVIagRaWdRvencjNhHZ1APvpc,1678
-vendor/spdx/json/licenses.json,sha256=66zBMswN5ufUL8M9TIMV0PQH9aZK_X5mtHm3OkwKmVU,314245
-owasp_depscan-6.0.0a2.dist-info/METADATA,sha256=a2l-2ebikqGNzqTMcQy_5K4B0nk1Ng9R2qAHneouuEw,17650
-owasp_depscan-6.0.0a2.dist-info/WHEEL,sha256=GHB6lJx2juba1wDgXDNlMTyM13ckjBMKf-OnwgKOCtA,91
-owasp_depscan-6.0.0a2.dist-info/entry_points.txt,sha256=FxQKHFWZTfKU2eBxHPFRxwhSNexntYygYhquykS8zxA,69
-owasp_depscan-6.0.0a2.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
-owasp_depscan-6.0.0a2.dist-info/RECORD,,
+vendor/spdx/json/licenses.json,sha256=6hJD6hFqYZy_oIQ20DchwuLlkZH8FaXFR00vflKb-lk,315992
+owasp_depscan-6.0.0b2.dist-info/METADATA,sha256=7-Wt5PdEpf--5HYTiRrwpQf03FAZltpvj4C4U8XpdAQ,17433
+owasp_depscan-6.0.0b2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+owasp_depscan-6.0.0b2.dist-info/entry_points.txt,sha256=QvBVhjzm1Vx1CQkACbQWeNykZInIXUFUi6scoOYA7XY,45
+owasp_depscan-6.0.0b2.dist-info/top_level.txt,sha256=qbHOZvNU2dXANv946hMdP2vOi0ESQB5t2ZY5ktKtXvQ,15
+owasp_depscan-6.0.0b2.dist-info/RECORD,,

{owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0b2.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.3.0)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

{owasp_depscan-6.0.0a2.dist-info → owasp_depscan-6.0.0b2.dist-info}/entry_points.txt

@@ -1,3 +1,2 @@
 [console_scripts]
 depscan = depscan.cli:main
-scan = depscan.cli:main