owasp-depscan 6.0.0a2__tar.gz → 6.0.0a3__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of owasp-depscan might be problematic. Click here for more details.

Files changed (89) hide show
  1. {owasp_depscan-6.0.0a2/owasp_depscan.egg-info → owasp_depscan-6.0.0a3}/PKG-INFO +2 -4
  2. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/README.md +0 -2
  3. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/cli.py +1 -1
  4. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/bom.py +6 -10
  5. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/explainer.py +43 -20
  6. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3/owasp_depscan.egg-info}/PKG-INFO +2 -4
  7. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/requires.txt +3 -1
  8. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/pyproject.toml +2 -2
  9. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/LICENSE +0 -0
  10. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/MANIFEST.in +0 -0
  11. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/__init__.py +0 -0
  12. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/cli_options.py +0 -0
  13. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/__init__.py +0 -0
  14. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/audit.py +0 -0
  15. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/config.py +0 -0
  16. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/github.py +0 -0
  17. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/license.py +0 -0
  18. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/logger.py +0 -0
  19. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/__init__.py +0 -0
  20. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/cargo_pkg.py +0 -0
  21. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/metadata.py +0 -0
  22. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/npm_pkg.py +0 -0
  23. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/pkg_query.py +0 -0
  24. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/package_query/pypi_pkg.py +0 -0
  25. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/tomlparse.py +0 -0
  26. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/utils.py +0 -0
  27. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/SOURCES.txt +0 -0
  28. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/dependency_links.txt +0 -0
  29. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/entry_points.txt +0 -0
  30. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/top_level.txt +0 -0
  31. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/setup.cfg +0 -0
  32. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_bom.py +0 -0
  33. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_explainer.py +0 -0
  34. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_github.py +0 -0
  35. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_license.py +0 -0
  36. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_pkg_query.py +0 -0
  37. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/test/test_utils.py +0 -0
  38. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/__init__.py +0 -0
  39. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_data/fields.yml +0 -0
  40. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_data/meta.yml +0 -0
  41. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_data/rules.yml +0 -0
  42. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/0bsd.txt +0 -0
  43. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/afl-3.0.txt +0 -0
  44. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/agpl-3.0.txt +0 -0
  45. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/apache-2.0.txt +0 -0
  46. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/artistic-2.0.txt +0 -0
  47. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/blueoak-1.0.0.txt +0 -0
  48. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsd-2-clause-patent.txt +0 -0
  49. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsd-2-clause.txt +0 -0
  50. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsd-3-clause-clear.txt +0 -0
  51. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsd-3-clause.txt +0 -0
  52. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsd-4-clause.txt +0 -0
  53. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/bsl-1.0.txt +0 -0
  54. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cc-by-4.0.txt +0 -0
  55. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cc-by-sa-4.0.txt +0 -0
  56. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cc0-1.0.txt +0 -0
  57. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cecill-2.1.txt +0 -0
  58. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cern-ohl-p-2.0.txt +0 -0
  59. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cern-ohl-s-2.0.txt +0 -0
  60. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/cern-ohl-w-2.0.txt +0 -0
  61. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/ecl-2.0.txt +0 -0
  62. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/epl-1.0.txt +0 -0
  63. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/epl-2.0.txt +0 -0
  64. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/eupl-1.1.txt +0 -0
  65. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/eupl-1.2.txt +0 -0
  66. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/gfdl-1.3.txt +0 -0
  67. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/gpl-2.0.txt +0 -0
  68. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/gpl-3.0.txt +0 -0
  69. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/isc.txt +0 -0
  70. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/lgpl-2.1.txt +0 -0
  71. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/lgpl-3.0.txt +0 -0
  72. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/lppl-1.3c.txt +0 -0
  73. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/mit-0.txt +0 -0
  74. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/mit.txt +0 -0
  75. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/mpl-2.0.txt +0 -0
  76. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/ms-pl.txt +0 -0
  77. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/ms-rl.txt +0 -0
  78. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/mulanpsl-2.0.txt +0 -0
  79. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/ncsa.txt +0 -0
  80. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/odbl-1.0.txt +0 -0
  81. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/ofl-1.1.txt +0 -0
  82. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/osl-3.0.txt +0 -0
  83. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/postgresql.txt +0 -0
  84. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/unlicense.txt +0 -0
  85. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/upl-1.0.txt +0 -0
  86. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/vim.txt +0 -0
  87. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/wtfpl.txt +0 -0
  88. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/choosealicense.com/_licenses/zlib.txt +0 -0
  89. {owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/vendor/spdx/json/licenses.json +0 -0
{owasp_depscan-6.0.0a2/owasp_depscan.egg-info → owasp_depscan-6.0.0a3}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: owasp-depscan
3
- Version: 6.0.0a2
3
+ Version: 6.0.0a3
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License-Expression: MIT
@@ -28,7 +28,7 @@ Requires-Dist: rich>=14.0.0
28
28
  Requires-Dist: Jinja2>=3.1.6
29
29
  Requires-Dist: packageurl-python>=0.16.0
30
30
  Requires-Dist: cvss>=3.4
31
- Requires-Dist: tomli>=2.2.1
31
+ Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
32
32
  Requires-Dist: ds-xbom-lib
33
33
  Requires-Dist: ds-analysis-lib
34
34
  Provides-Extra: dev
@@ -147,8 +147,6 @@ Always stay a step ahead with advanced vulnerability and exploit prediction.
147
147
  - Chainguard
148
148
  - Wolfi OS
149
149
 
150
- Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
151
-
152
150
  ## Quick Start
153
151
 
154
152
  dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/README.md RENAMED
@@ -91,8 +91,6 @@ Always stay a step ahead with advanced vulnerability and exploit prediction.
91
91
  - Chainguard
92
92
  - Wolfi OS
93
93
 
94
- Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
95
-
96
94
  ## Quick Start
97
95
 
98
96
  dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/cli.py RENAMED
@@ -822,7 +822,7 @@ def run_depscan(args):
822
822
  pkg_max_risk_score=pkg_max_risk_score,
823
823
  risk_report_file=risk_report_file,
824
824
  )
825
- if not args.no_vuln_table and report_data:
825
+ if not args.no_vuln_table and report_data and rtable:
826
826
  console.print(rtable)
827
827
  except Exception as e:
828
828
  LOG.error(e)
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/bom.py RENAMED
@@ -6,7 +6,6 @@ from collections import defaultdict
6
6
  from datetime import datetime, timezone
7
7
  from urllib.parse import unquote_plus
8
8
 
9
- from blint.cyclonedx.spec import CycloneDX
10
9
  from custom_json_diff.lib.utils import json_load, json_dump
11
10
  from defusedxml.ElementTree import parse
12
11
  from xbom_lib.blint import BlintGenerator
@@ -15,7 +14,6 @@ from xbom_lib.cdxgen import (
15
14
  CdxgenImageBasedGenerator,
16
15
  CdxgenServerGenerator,
17
16
  )
18
-
19
17
  from depscan.lib.logger import LOG, SPINNER, console
20
18
  from depscan.lib.utils import cleanup_license_string
21
19
  from typing import Dict, Optional
@@ -327,13 +325,6 @@ def create_blint_bom(
327
325
  LOG.info(
328
326
  "The blint invocation was unsuccessful. Try generating the BOM separately."
329
327
  )
330
- # Empty SBOM is fine if there are no binaries in the project.
331
- elif bom_result.bom_obj and isinstance(bom_result.bom_obj, CycloneDX):
332
- if (
333
- not bom_result.bom_obj.components
334
- and not bom_result.bom_obj.dependencies
335
- ):
336
- LOG.debug("Empty SBOM received from blint.")
337
328
  return bom_result.success and os.path.exists(bom_file)
338
329
 
339
330
 
@@ -418,7 +409,12 @@ def create_lifecycle_boms(cdxgen_lib, src_dir, options):
418
409
  )
419
410
  status.update("Preparing blint for post-build BOM generation.")
420
411
  # post-build BOM with blint
421
- coptions = {**options, "deep": False, "use_blintdb": False, "lifecycles": ["post-build"]}
412
+ coptions = {
413
+ **options,
414
+ "deep": False,
415
+ "use_blintdb": False,
416
+ "lifecycles": ["post-build"],
417
+ }
422
418
  # What if the build directory is different to the source
423
419
  build_dir = os.getenv("DEPSCAN_BUILD_DIR") or options.get("build_dir") or src_dir
424
420
  res = create_blint_bom(postbuild_bom_file, build_dir, options=coptions)
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/depscan/lib/explainer.py RENAMED
@@ -1,3 +1,4 @@
1
+ import os
1
2
  import re
2
3
  import glob
3
4
  from collections import defaultdict
@@ -58,6 +59,12 @@ The following endpoints and code hotspots were identified by depscan. Verify tha
58
59
  else "Reachable Flows"
59
60
  )
60
61
  for sf in slices_files:
62
+ if len(slices_files) > 1:
63
+ fn = os.path.basename(sf)
64
+ section_label = f"# Explanations for {sf}"
65
+ if "-" in fn:
66
+ section_label = f"# Explanations for {fn.split('-')[0].upper()}"
67
+ console.print(Markdown(section_label))
61
68
  if (reachables_data := json_load(sf, log=LOG)) and reachables_data.get(
62
69
  "reachables"
63
70
  ):
@@ -176,11 +183,15 @@ def explain_reachables(
176
183
  sink_reachable_explanations = defaultdict(int)
177
184
  has_explanation = False
178
185
  header_shown = False
186
+ has_cpp_flow = False
179
187
  for areach in reachables.get("reachables", []):
188
+ cpp_flow = is_cpp_flow(areach.get("flows"))
189
+ if not has_cpp_flow and cpp_flow:
190
+ has_cpp_flow = True
180
191
  if (
181
192
  not areach.get("flows")
182
193
  or len(areach.get("flows")) < 2
183
- or (not areach.get("purls") and not is_cpp_flow(areach.get("flows")))
194
+ or (not areach.get("purls") and not cpp_flow)
184
195
  ):
185
196
  continue
186
197
  # Focus only on the prioritized list if available
@@ -207,7 +218,7 @@ def explain_reachables(
207
218
  project_type,
208
219
  vdr_result,
209
220
  )
210
- if not source_sink_desc or not flow_tree:
221
+ if not source_sink_desc or not flow_tree or len(flow_tree.children) < 5:
211
222
  continue
212
223
  # In non-reachables mode, we are not interested in reachable flows.
213
224
  if (
@@ -282,9 +293,15 @@ def explain_reachables(
282
293
  - Generate a Cryptographic BOM with cdxgen and monitor it in Dependency-Track.
283
294
  """
284
295
  elif checked_flows:
285
- tips += """
296
+ if not has_cpp_flow:
297
+ tips += """
286
298
  - Review the validation and sanitization methods used in the application.
287
299
  - To enhance the security posture, implement a common validation middleware.
300
+ """
301
+ else:
302
+ tips += """
303
+ - Continuously fuzz the parser and validation functions with diverse payloads.
304
+ - Generate post-build SBOMs with OWASP blint by building this project for various architecture combinations. Re-run depscan with the `--bom-dir` argument to enhance the analysis.
288
305
  """
289
306
  elif purls_reachable_explanations:
290
307
  tips += """
@@ -348,7 +365,7 @@ def flow_to_source_sink(idx, flow, purls, project_type, vdr_result):
348
365
  source_sink_desc = f"Invocation: {method_full_name}"
349
366
  elif flow.get("label") == "RETURN" and flow.get("code"):
350
367
  source_sink_desc = flow.get("code").split("\n")[0]
351
- elif project_type not in ("java") and flow.get("label") == "IDENTIFIER":
368
+ elif project_type not in ("java",) and flow.get("label") == "IDENTIFIER":
352
369
  source_sink_desc = flow.get("code").split("\n")[0]
353
370
  if source_sink_desc.endswith("("):
354
371
  source_sink_desc = f":diamond_suit: {source_sink_desc})"
@@ -411,19 +428,21 @@ def filter_tags(tags):
411
428
 
412
429
 
413
430
  def is_filterable_code(project_type, code):
414
- match project_type:
415
- case "js" | "ts" | "javascript" | "typescript" | "bom":
416
- for c in (
417
- "console.log",
418
- "thoughtLog(",
419
- "_tmp_",
420
- "LOG.debug(",
421
- "options.get(",
422
- "RET",
423
- "this.",
424
- ):
425
- if code and code.startswith(c):
426
- return True
431
+ if len(code) < 5:
432
+ return True
433
+ for c in (
434
+ "console.log",
435
+ "thoughtLog(",
436
+ "_tmp_",
437
+ "LOG.debug(",
438
+ "options.get(",
439
+ "RET",
440
+ "this.",
441
+ "NULL",
442
+ "!",
443
+ ):
444
+ if code and code.startswith(c):
445
+ return True
427
446
  return False
428
447
 
429
448
 
@@ -440,17 +459,21 @@ def flow_to_str(explanation_mode, flow, project_type):
440
459
  node_desc = flow.get("code").split("\n")[0]
441
460
  if node_desc.endswith("("):
442
461
  node_desc = f":diamond_suit: {node_desc})"
462
+ elif node_desc.startswith("return "):
463
+ node_desc = f":arrow_backward: [italic]{node_desc}[/italic]"
443
464
  tags = filter_tags(flow.get("tags"))
444
- if flow.get("label") == "METHOD_PARAMETER_IN":
465
+ if flow.get("label") in ("METHOD_PARAMETER_IN",):
445
466
  param_name = flow.get("name")
446
467
  if param_name == "this":
447
468
  param_name = ""
448
469
  node_desc = f"{flow.get('parentMethodName')}([red]{param_name}[/red]) :right_arrow_curving_left:"
449
470
  if tags:
450
471
  node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
451
- elif flow.get("label") == "IDENTIFIER":
472
+ elif flow.get("label") in ("IDENTIFIER", "CALL"):
452
473
  if node_desc.startswith("<"):
453
474
  node_desc = flow.get("name")
475
+ if flow.get("isExternal"):
476
+ node_desc = f"{node_desc} :right_arrow_curving_up:"
454
477
  if tags:
455
478
  node_desc = f"{node_desc}\n[bold]Tags:[/bold] [italic]{tags}[/italic]\n"
456
479
  if tags and not is_filterable_code(project_type, node_desc):
@@ -518,7 +541,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
518
541
  file_loc, flow_str, node_desc, has_check_tag_flow = flow_to_str(
519
542
  explanation_mode, aflow, project_type
520
543
  )
521
- if last_file_loc and last_file_loc == file_loc:
544
+ if not flow_str or (last_file_loc and last_file_loc == file_loc):
522
545
  continue
523
546
  last_file_loc = file_loc
524
547
  if flow_str in added_flows or node_desc in added_node_desc:
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3/owasp_depscan.egg-info}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: owasp-depscan
3
- Version: 6.0.0a2
3
+ Version: 6.0.0a3
4
4
  Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
5
5
  Author-email: Team AppThreat <cloud@appthreat.com>
6
6
  License-Expression: MIT
@@ -28,7 +28,7 @@ Requires-Dist: rich>=14.0.0
28
28
  Requires-Dist: Jinja2>=3.1.6
29
29
  Requires-Dist: packageurl-python>=0.16.0
30
30
  Requires-Dist: cvss>=3.4
31
- Requires-Dist: tomli>=2.2.1
31
+ Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
32
32
  Requires-Dist: ds-xbom-lib
33
33
  Requires-Dist: ds-analysis-lib
34
34
  Provides-Extra: dev
@@ -147,8 +147,6 @@ Always stay a step ahead with advanced vulnerability and exploit prediction.
147
147
  - Chainguard
148
148
  - Wolfi OS
149
149
 
150
- Application vulnerabilities would be reported for all Linux distros and Windows. To download the full vulnerability database suitable for scanning OS, invoke dep-scan with `` for the first time. dep-scan would also download the appropriate database based on project type automatically.
151
-
152
150
  ## Quick Start
153
151
 
154
152
  dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/owasp_depscan.egg-info/requires.txt RENAMED
@@ -6,10 +6,12 @@ rich>=14.0.0
6
6
  Jinja2>=3.1.6
7
7
  packageurl-python>=0.16.0
8
8
  cvss>=3.4
9
- tomli>=2.2.1
10
9
  ds-xbom-lib
11
10
  ds-analysis-lib
12
11
 
12
+ [:python_full_version <= "3.11"]
13
+ tomli>=2.2.1
14
+
13
15
  [all]
14
16
  atom-tools>=0.7.8
15
17
  blint>=2.4.1
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [project]
2
2
  name = "owasp-depscan"
3
- version = "6.0.0a2"
3
+ version = "6.0.0a3"
4
4
  description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
5
5
  authors = [
6
6
  {name = "Team AppThreat", email = "cloud@appthreat.com"},
@@ -14,7 +14,7 @@ dependencies = [
14
14
  "Jinja2>=3.1.6",
15
15
  "packageurl-python>=0.16.0",
16
16
  "cvss>=3.4",
17
- "tomli>=2.2.1",
17
+ "tomli>=2.2.1; python_full_version <= '3.11'",
18
18
  "ds-xbom-lib",
19
19
  "ds-analysis-lib"
20
20
  ]
{owasp_depscan-6.0.0a2 → owasp_depscan-6.0.0a3}/LICENSE RENAMED
File without changes