owasp-depscan 6.0.0a3__tar.gz → 6.0.0b2__tar.gz

{owasp_depscan-6.0.0a3/owasp_depscan.egg-info → owasp_depscan-6.0.0b2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: owasp-depscan
-Version: 6.0.0a3
+Version: 6.0.0b2
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License-Expression: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db[oras]
+Requires-Dist: appthreat-vulnerability-db[oras]>=6.4.3
 Requires-Dist: custom-json-diff>=2.1.6
 Requires-Dist: defusedxml>=0.7.1
 Requires-Dist: PyYAML>=6.0.2
@@ -31,6 +31,7 @@ Requires-Dist: cvss>=3.4
 Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
 Requires-Dist: ds-xbom-lib
 Requires-Dist: ds-analysis-lib
+Requires-Dist: ds-reporting-lib
 Provides-Extra: dev
 Requires-Dist: black>=25.1.0; extra == "dev"
 Requires-Dist: flake8>=7.1.2; extra == "dev"

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2}/depscan/cli.py

@@ -54,6 +54,7 @@ from depscan.lib.config import (
 from depscan.lib.license import build_license_data, bulk_lookup
 from depscan.lib.logger import DEBUG, LOG, SPINNER, console, IS_CI
 
+from reporting_lib.htmlgen import ReportGenerator
 if sys.platform == "win32" and os.environ.get("PYTHONIOENCODING") is None:
     sys.stdin.reconfigure(encoding="utf-8")
     sys.stdout.reconfigure(encoding="utf-8")
@@ -617,15 +618,11 @@ def run_depscan(args):
     html_report_file = depscan_options.get(
         "html_report_file", os.path.join(reports_dir, "depscan.html")
     )
-    pdf_report_file = depscan_options.get(
-        "pdf_report_file", os.path.join(reports_dir, "depscan.pdf")
-    )
     txt_report_file = depscan_options.get(
         "txt_report_file", os.path.join(reports_dir, "depscan.txt")
     )
     run_config_file = os.path.join(reports_dir, "depscan.toml.sample")
     depscan_options["html_report_file"] = html_report_file
-    depscan_options["pdf_report_file"] = pdf_report_file
     depscan_options["txt_report_file"] = txt_report_file
     # Create reports directory
     if reports_dir and not os.path.exists(reports_dir):
@@ -975,7 +972,9 @@ def run_depscan(args):
         theme=(MONOKAI if os.getenv("USE_DARK_THEME") else DEFAULT_TERMINAL_THEME),
     )
     console.save_text(txt_report_file, clear=False)
-    utils.export_pdf(html_report_file, pdf_report_file)
+    # Prettify the rich html report
+    html_report_generator = ReportGenerator(input_rich_html_path=html_report_file, report_output_path=html_report_file, raw_content=False)
+    html_report_generator.parse_and_generate_report()
     # This logic needs refactoring
     # render report into template if wished
     if args.report_template and os.path.isfile(args.report_template):

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2}/depscan/lib/explainer.py

@@ -47,9 +47,14 @@ def explain(project_type, src_dir, bom_dir, vdr_file, vdr_result, explanation_mo
         rsection = Markdown("""## Service Endpoints
 
 The following endpoints and code hotspots were identified by depscan. Verify that proper authentication and authorization mechanisms are in place to secure them.""")
-        console.print(rsection)
+        any_endpoints_shown = False
         for ospec in openapi_spec_files:
-            pattern_methods = print_endpoints(ospec)
+            pattern_methods = print_endpoints(
+                ospec, rsection if not any_endpoints_shown else None
+            )
+            if not any_endpoints_shown and pattern_methods:
+                any_endpoints_shown = True
+
     # Return early for endpoints only explanations
     if explanation_mode in ("Endpoints",):
         return
@@ -109,7 +114,7 @@ def _track_usage_targets(usage_targets, usages_object):
                 usage_targets.add(f"{file}#{l}")
 
 
-def print_endpoints(ospec):
+def print_endpoints(ospec, header_section=None):
     if not ospec:
         return
     paths = json_load(ospec).get("paths") or {}
@@ -151,6 +156,9 @@ def print_endpoints(ospec):
         sorted_areas.sort()
         rtable.add_row(k, ("\n".join(v)).upper(), "\n".join(sorted_areas))
     if pattern_methods:
+        # Print the header section
+        if header_section:
+            console.print(header_section)
         console.print()
         console.print(rtable)
     return pattern_methods
@@ -178,6 +186,7 @@ def explain_reachables(
     reachable_explanations = 0
     checked_flows = 0
     has_crypto_flows = False
+    explained_ids = {}
     purls_reachable_explanations = defaultdict(int)
     source_reachable_explanations = defaultdict(int)
     sink_reachable_explanations = defaultdict(int)
@@ -194,16 +203,9 @@ def explain_reachables(
             or (not areach.get("purls") and not cpp_flow)
         ):
             continue
-        # Focus only on the prioritized list if available
-        # if project_type in ("java",) and pkg_group_rows:
-        #     is_prioritized = False
-        #     for apurl in areach.get("purls"):
-        #         if pkg_group_rows.get(apurl):
-        #             is_prioritized = True
-        #     if not is_prioritized:
-        #         continue
         (
             flow_tree,
+            added_ids,
             comment,
             source_sink_desc,
             source_code_str,
@@ -218,7 +220,13 @@ def explain_reachables(
             project_type,
             vdr_result,
         )
-        if not source_sink_desc or not flow_tree or len(flow_tree.children) < 5:
+        # The goal is to reduce duplicate explanations by checking if a given flow is similar to one we have explained
+        # before. We do this by checking the node ids, source-sink explanations, purl tags and so on.
+        added_ids_str = "-".join(added_ids)
+        # Have we seen this sequence before?
+        if explained_ids.get(added_ids_str) or len(added_ids) < 4:
+            continue
+        if not source_sink_desc or not flow_tree or len(flow_tree.children) < 4:
             continue
         # In non-reachables mode, we are not interested in reachable flows.
         if (
@@ -269,6 +277,7 @@ def explain_reachables(
             header_shown = True
         console.print()
         console.print(rtable)
+        explained_ids[added_ids_str] = True
         reachable_explanations += 1
         if purls_str:
             purls_reachable_explanations[purls_str] += 1
@@ -428,7 +437,7 @@ def filter_tags(tags):
 
 
 def is_filterable_code(project_type, code):
-    if len(code) < 5:
+    if len(code) < 3:
         return True
     for c in (
         "console.log",
@@ -455,8 +464,16 @@ def flow_to_str(explanation_mode, flow, project_type):
         and flow.get("lineNumber")
         and not flow.get("parentFileName").startswith("unknown")
     ):
-        file_loc = f"{flow.get('parentFileName').replace('src/main/java/', '').replace('src/main/scala/', '')}#{flow.get('lineNumber')}    "
+        # strip common prefixes
+        name = flow.get('parentFileName', '')
+        for p in ('src/main/java/', 'src/main/scala/'):
+            name = name.removeprefix(p)
+        file_loc = f"{name}#{flow.get('lineNumber')}    "
     node_desc = flow.get("code").split("\n")[0]
+    if (len(node_desc) < 3 or node_desc.endswith("{")) and len(flow.get("code")) > 3:
+        node_desc = " ".join(flow.get("code", "").split())
+        if "(" in node_desc:
+            node_desc = node_desc.split("(")[0] + "() ..."
     if node_desc.endswith("("):
         node_desc = f":diamond_suit: {node_desc})"
     elif node_desc.startswith("return "):
@@ -510,6 +527,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
     if purls:
         purls_str = "\n".join(purls)
         comments.append(f"[info]Reachable Packages:[/info]\n{purls_str}")
+    added_ids = []
     added_flows = []
     added_node_desc = []
     has_check_tag = False
@@ -547,6 +565,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
         if flow_str in added_flows or node_desc in added_node_desc:
             continue
         added_flows.append(flow_str)
+        added_ids.append(str(aflow.get("id", "")))
         added_node_desc.append(node_desc)
         if not tree:
             tree = Tree(flow_str)
@@ -561,6 +580,7 @@ def explain_flows(explanation_mode, flows, purls, project_type, vdr_result):
         )
     return (
         tree,
+        added_ids,
         "\n".join(comments),
         source_sink_desc,
         source_code_str,

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2/owasp_depscan.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: owasp-depscan
-Version: 6.0.0a3
+Version: 6.0.0b2
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License-Expression: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db[oras]
+Requires-Dist: appthreat-vulnerability-db[oras]>=6.4.3
 Requires-Dist: custom-json-diff>=2.1.6
 Requires-Dist: defusedxml>=0.7.1
 Requires-Dist: PyYAML>=6.0.2
@@ -31,6 +31,7 @@ Requires-Dist: cvss>=3.4
 Requires-Dist: tomli>=2.2.1; python_full_version <= "3.11"
 Requires-Dist: ds-xbom-lib
 Requires-Dist: ds-analysis-lib
+Requires-Dist: ds-reporting-lib
 Provides-Extra: dev
 Requires-Dist: black>=25.1.0; extra == "dev"
 Requires-Dist: flake8>=7.1.2; extra == "dev"

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2}/owasp_depscan.egg-info/entry_points.txt

@@ -1,3 +1,2 @@
 [console_scripts]
 depscan = depscan.cli:main
-scan = depscan.cli:main

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2}/owasp_depscan.egg-info/requires.txt

@@ -1,4 +1,4 @@
-appthreat-vulnerability-db[oras]
+appthreat-vulnerability-db[oras]>=6.4.3
 custom-json-diff>=2.1.6
 defusedxml>=0.7.1
 PyYAML>=6.0.2
@@ -8,6 +8,7 @@ packageurl-python>=0.16.0
 cvss>=3.4
 ds-xbom-lib
 ds-analysis-lib
+ds-reporting-lib
 
 [:python_full_version <= "3.11"]
 tomli>=2.2.1

{owasp_depscan-6.0.0a3 → owasp_depscan-6.0.0b2}/pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "6.0.0a3"
+version = "6.0.0b2"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db[oras]",
+    "appthreat-vulnerability-db[oras]>=6.4.3",
     "custom-json-diff>=2.1.6",
     "defusedxml>=0.7.1",
     "PyYAML>=6.0.2",
@@ -16,7 +16,8 @@ dependencies = [
     "cvss>=3.4",
     "tomli>=2.2.1; python_full_version <= '3.11'",
     "ds-xbom-lib",
-    "ds-analysis-lib"
+    "ds-analysis-lib",
+    "ds-reporting-lib"
 ]
 
 requires-python = ">=3.10"
@@ -42,7 +43,6 @@ Funding = "https://owasp.org/donate/?reponame=www-project-dep-scan&title=OWASP+d
 
 [project.scripts]
 depscan = "depscan.cli:main"
-scan = "depscan.cli:main"
 
 [project.optional-dependencies]
 dev = [
@@ -83,10 +83,10 @@ select = "B,C,E,F,W,T4,B9"
 line-length = 99
 
 [tool.uv.sources]
-blint = { git = "https://github.com/owasp-dep-scan/blint", rev = "0a29b47a1d0ab55fcf4480785f0a8948104d7632" }
-appthreat-vulnerability-db = { git = "https://github.com/AppThreat/vulnerability-db", rev = "dc48e670acec1a62f8f20d6d4714f0c7c1e1f578" }
+blint = { git = "https://github.com/owasp-dep-scan/blint", rev = "a2ca09e6f1355e3e31147fbd40027edbf130bc40" }
 ds-xbom-lib = { workspace = true }
 ds-analysis-lib = { workspace = true }
+ds-reporting-lib = { workspace = true }
 
 [tool.uv.workspace]
 members = ["packages/*"]
@@ -95,4 +95,3 @@ members = ["packages/*"]
 dev = [
     "ruff>=0.11.6",
 ]
-