security-use 0.1.1__py3-none-any.whl

security_use/__init__.py

@@ -0,0 +1,15 @@
+"""security-use - Security scanning tool for dependencies and Infrastructure as Code."""
+
+__version__ = "0.1.1"
+
+from security_use.scanner import scan_dependencies, scan_iac
+from security_use.models import Vulnerability, IaCFinding, ScanResult
+
+__all__ = [
+    "__version__",
+    "scan_dependencies",
+    "scan_iac",
+    "Vulnerability",
+    "IaCFinding",
+    "ScanResult",
+]

security_use/cli.py

@@ -0,0 +1,348 @@
+"""Command-line interface for security-use."""
+
+import sys
+from pathlib import Path
+from typing import Optional
+
+import click
+from rich.console import Console
+
+from security_use import __version__
+from security_use.models import Severity, ScanResult
+from security_use.reporter import create_reporter
+
+
+console = Console()
+
+
+def _get_severity_threshold(severity: str) -> Severity:
+    """Convert severity string to Severity enum."""
+    mapping = {
+        "critical": Severity.CRITICAL,
+        "high": Severity.HIGH,
+        "medium": Severity.MEDIUM,
+        "low": Severity.LOW,
+    }
+    return mapping.get(severity.lower(), Severity.LOW)
+
+
+def _filter_by_severity(result: ScanResult, threshold: Severity) -> ScanResult:
+    """Filter results to only include issues at or above severity threshold."""
+    severity_order = {
+        Severity.CRITICAL: 0,
+        Severity.HIGH: 1,
+        Severity.MEDIUM: 2,
+        Severity.LOW: 3,
+        Severity.UNKNOWN: 4,
+    }
+    threshold_order = severity_order[threshold]
+
+    filtered = ScanResult(
+        scanned_files=result.scanned_files,
+        errors=result.errors,
+    )
+
+    filtered.vulnerabilities = [
+        v for v in result.vulnerabilities
+        if severity_order.get(v.severity, 4) <= threshold_order
+    ]
+
+    filtered.iac_findings = [
+        f for f in result.iac_findings
+        if severity_order.get(f.severity, 4) <= threshold_order
+    ]
+
+    return filtered
+
+
+def _output_result(
+    result: ScanResult,
+    format: str,
+    output: Optional[str],
+) -> None:
+    """Output scan results in the specified format."""
+    reporter = create_reporter(format)
+    report = reporter.generate(result)
+
+    if output:
+        Path(output).write_text(report, encoding="utf-8")
+        console.print(f"[green]Report written to {output}[/green]")
+    else:
+        if format == "json" or format == "sarif":
+            click.echo(report)
+        else:
+            # Table format already outputs via rich
+            console.print(report)
+
+
+@click.group()
+@click.version_option(version=__version__, prog_name="security-use")
+def main() -> None:
+    """security-use - Security scanning tool for dependencies and IaC."""
+    pass
+
+
+@main.group()
+def scan() -> None:
+    """Scan for security vulnerabilities."""
+    pass
+
+
+@scan.command("deps")
+@click.argument("path", type=click.Path(exists=True), default=".")
+@click.option(
+    "--format", "-f",
+    type=click.Choice(["json", "table", "sarif"]),
+    default="table",
+    help="Output format",
+)
+@click.option(
+    "--severity", "-s",
+    type=click.Choice(["critical", "high", "medium", "low"]),
+    default="low",
+    help="Minimum severity to report",
+)
+@click.option(
+    "--output", "-o",
+    type=click.Path(),
+    help="Write output to file",
+)
+def scan_deps(path: str, format: str, severity: str, output: Optional[str]) -> None:
+    """Scan dependencies for known vulnerabilities.
+
+    PATH is the file or directory to scan (default: current directory).
+    """
+    from security_use.dependency_scanner import DependencyScanner
+
+    is_machine_format = format in ("json", "sarif")
+
+    if not is_machine_format:
+        console.print(f"[blue]Scanning dependencies in {path}...[/blue]")
+
+    scanner = DependencyScanner()
+    result = scanner.scan_path(Path(path))
+
+    # Filter by severity
+    threshold = _get_severity_threshold(severity)
+    result = _filter_by_severity(result, threshold)
+
+    # Output results
+    _output_result(result, format, output)
+
+    # Exit with error code if vulnerabilities found
+    if result.vulnerabilities:
+        if not is_machine_format:
+            console.print(
+                f"\n[red]Found {len(result.vulnerabilities)} vulnerability(ies)[/red]"
+            )
+        sys.exit(1)
+    else:
+        if not is_machine_format:
+            console.print("\n[green]No vulnerabilities found[/green]")
+
+
+@scan.command("iac")
+@click.argument("path", type=click.Path(exists=True), default=".")
+@click.option(
+    "--format", "-f",
+    type=click.Choice(["json", "table", "sarif"]),
+    default="table",
+    help="Output format",
+)
+@click.option(
+    "--severity", "-s",
+    type=click.Choice(["critical", "high", "medium", "low"]),
+    default="low",
+    help="Minimum severity to report",
+)
+@click.option(
+    "--output", "-o",
+    type=click.Path(),
+    help="Write output to file",
+)
+def scan_iac(path: str, format: str, severity: str, output: Optional[str]) -> None:
+    """Scan Infrastructure as Code for security misconfigurations.
+
+    PATH is the file or directory to scan (default: current directory).
+    """
+    from security_use.iac_scanner import IaCScanner
+
+    is_machine_format = format in ("json", "sarif")
+
+    if not is_machine_format:
+        console.print(f"[blue]Scanning IaC files in {path}...[/blue]")
+
+    scanner = IaCScanner()
+    result = scanner.scan_path(Path(path))
+
+    # Filter by severity
+    threshold = _get_severity_threshold(severity)
+    result = _filter_by_severity(result, threshold)
+
+    # Output results
+    _output_result(result, format, output)
+
+    # Exit with error code if findings found
+    if result.iac_findings:
+        if not is_machine_format:
+            console.print(
+                f"\n[red]Found {len(result.iac_findings)} security issue(s)[/red]"
+            )
+        sys.exit(1)
+    else:
+        if not is_machine_format:
+            console.print("\n[green]No security issues found[/green]")
+
+
+@scan.command("all")
+@click.argument("path", type=click.Path(exists=True), default=".")
+@click.option(
+    "--format", "-f",
+    type=click.Choice(["json", "table", "sarif"]),
+    default="table",
+    help="Output format",
+)
+@click.option(
+    "--severity", "-s",
+    type=click.Choice(["critical", "high", "medium", "low"]),
+    default="low",
+    help="Minimum severity to report",
+)
+@click.option(
+    "--output", "-o",
+    type=click.Path(),
+    help="Write output to file",
+)
+def scan_all(path: str, format: str, severity: str, output: Optional[str]) -> None:
+    """Scan both dependencies and IaC for security issues.
+
+    PATH is the file or directory to scan (default: current directory).
+    """
+    from security_use.dependency_scanner import DependencyScanner
+    from security_use.iac_scanner import IaCScanner
+
+    is_machine_format = format in ("json", "sarif")
+
+    if not is_machine_format:
+        console.print(f"[blue]Scanning {path} for all security issues...[/blue]")
+
+    # Combined result
+    result = ScanResult()
+
+    # Scan dependencies
+    dep_scanner = DependencyScanner()
+    dep_result = dep_scanner.scan_path(Path(path))
+    result.vulnerabilities = dep_result.vulnerabilities
+    result.scanned_files.extend(dep_result.scanned_files)
+    result.errors.extend(dep_result.errors)
+
+    # Scan IaC
+    iac_scanner = IaCScanner()
+    iac_result = iac_scanner.scan_path(Path(path))
+    result.iac_findings = iac_result.iac_findings
+    result.scanned_files.extend(iac_result.scanned_files)
+    result.errors.extend(iac_result.errors)
+
+    # Filter by severity
+    threshold = _get_severity_threshold(severity)
+    result = _filter_by_severity(result, threshold)
+
+    # Output results
+    _output_result(result, format, output)
+
+    # Exit with error code if issues found
+    if result.total_issues > 0:
+        if not is_machine_format:
+            console.print(f"\n[red]Found {result.total_issues} security issue(s)[/red]")
+        sys.exit(1)
+    else:
+        if not is_machine_format:
+            console.print("\n[green]No security issues found[/green]")
+
+
+@main.command()
+@click.argument("path", type=click.Path(exists=True), default=".")
+@click.option(
+    "--dry-run",
+    is_flag=True,
+    help="Show what would be fixed without making changes",
+)
+def fix(path: str, dry_run: bool) -> None:
+    """Auto-fix dependency vulnerabilities by updating versions.
+
+    PATH is the file or directory to scan and fix (default: current directory).
+    """
+    from security_use.dependency_scanner import DependencyScanner
+
+    console.print(f"[blue]Scanning dependencies in {path}...[/blue]")
+
+    scanner = DependencyScanner()
+    result = scanner.scan_path(Path(path))
+
+    if not result.vulnerabilities:
+        console.print("[green]No vulnerabilities found - nothing to fix[/green]")
+        return
+
+    # Group vulnerabilities by package
+    package_fixes: dict[str, tuple[str, str]] = {}
+    for vuln in result.vulnerabilities:
+        if vuln.fixed_version and vuln.package not in package_fixes:
+            package_fixes[vuln.package] = (vuln.installed_version, vuln.fixed_version)
+
+    if not package_fixes:
+        console.print("[yellow]No automatic fixes available for found vulnerabilities[/yellow]")
+        return
+
+    console.print(f"\n[bold]Found {len(package_fixes)} package(s) to update:[/bold]\n")
+
+    for package, (current, fixed) in package_fixes.items():
+        console.print(f"  • {package}: {current} → {fixed}")
+
+    if dry_run:
+        console.print("\n[yellow]Dry run - no changes made[/yellow]")
+        return
+
+    # Apply fixes
+    console.print("\n[blue]Applying fixes...[/blue]")
+
+    for file_path in result.scanned_files:
+        path_obj = Path(file_path)
+        if path_obj.suffix == ".txt" or path_obj.name == "requirements.txt":
+            _fix_requirements_file(path_obj, package_fixes)
+
+    console.print("[green]Fixes applied successfully[/green]")
+
+
+def _fix_requirements_file(
+    file_path: Path,
+    fixes: dict[str, tuple[str, str]],
+) -> None:
+    """Apply fixes to a requirements.txt file."""
+    import re
+
+    content = file_path.read_text(encoding="utf-8")
+    lines = content.splitlines()
+    modified = False
+
+    for i, line in enumerate(lines):
+        for package, (current, fixed) in fixes.items():
+            # Match package==version pattern
+            pattern = rf'^{re.escape(package)}==({re.escape(current)})'
+            match = re.match(pattern, line, re.IGNORECASE)
+            if match:
+                lines[i] = f"{package}=={fixed}"
+                modified = True
+                console.print(f"  [green]Updated {package} in {file_path}[/green]")
+
+    if modified:
+        file_path.write_text("\n".join(lines) + "\n", encoding="utf-8")
+
+
+@main.command()
+def version() -> None:
+    """Show version information."""
+    click.echo(f"security-use version {__version__}")
+
+
+if __name__ == "__main__":
+    main()

security_use/dependency_scanner.py

@@ -0,0 +1,199 @@
+"""Dependency scanner for detecting vulnerable packages."""
+
+from pathlib import Path
+from typing import Optional
+
+from security_use.models import ScanResult, Vulnerability
+from security_use.parsers import (
+    Dependency,
+    DependencyParser,
+    PipfileParser,
+    PoetryLockParser,
+    PyProjectParser,
+    RequirementsParser,
+)
+from security_use.parsers.pipfile import PipfileLockParser
+
+
+class DependencyScanner:
+    """Scanner for dependency files."""
+
+    PARSERS: list[type[DependencyParser]] = [
+        RequirementsParser,
+        PyProjectParser,
+        PipfileParser,
+        PipfileLockParser,
+        PoetryLockParser,
+    ]
+
+    DEPENDENCY_FILES = [
+        "requirements.txt",
+        "requirements-dev.txt",
+        "requirements-test.txt",
+        "requirements.in",
+        "pyproject.toml",
+        "Pipfile",
+        "Pipfile.lock",
+        "poetry.lock",
+        "setup.py",
+    ]
+
+    def __init__(self) -> None:
+        """Initialize the dependency scanner."""
+        self._osv_client: Optional["OSVClient"] = None
+
+    @property
+    def osv_client(self) -> "OSVClient":
+        """Lazy-load the OSV client."""
+        if self._osv_client is None:
+            from security_use.osv_client import OSVClient
+            self._osv_client = OSVClient()
+        return self._osv_client
+
+    def scan_path(self, path: Path) -> ScanResult:
+        """Scan a path for dependency vulnerabilities.
+
+        Args:
+            path: File or directory path to scan.
+
+        Returns:
+            ScanResult containing vulnerabilities found.
+        """
+        result = ScanResult()
+
+        if path.is_file():
+            files = [path]
+        else:
+            files = self._find_dependency_files(path)
+
+        for file_path in files:
+            try:
+                content = file_path.read_text(encoding="utf-8")
+                file_result = self.scan_content(content, file_path.name)
+                result.vulnerabilities.extend(file_result.vulnerabilities)
+                result.scanned_files.append(str(file_path))
+            except Exception as e:
+                result.errors.append(f"Error scanning {file_path}: {e}")
+
+        return result
+
+    def scan_content(self, content: str, file_type: str) -> ScanResult:
+        """Scan dependency file content for vulnerabilities.
+
+        Args:
+            content: The file content to scan.
+            file_type: The filename or type (e.g., 'requirements.txt').
+
+        Returns:
+            ScanResult containing vulnerabilities found.
+        """
+        result = ScanResult()
+
+        # Parse dependencies
+        dependencies = self.parse_dependencies(content, file_type)
+        if not dependencies:
+            return result
+
+        # Check for vulnerabilities
+        vulnerabilities = self.check_vulnerabilities(dependencies)
+        result.vulnerabilities = vulnerabilities
+
+        return result
+
+    def parse_dependencies(self, content: str, file_type: str) -> list[Dependency]:
+        """Parse dependencies from file content.
+
+        Args:
+            content: The file content.
+            file_type: The filename to determine parser.
+
+        Returns:
+            List of parsed dependencies.
+        """
+        parser = self._get_parser(file_type)
+        if parser is None:
+            return []
+
+        return parser.parse(content)
+
+    def check_vulnerabilities(
+        self, dependencies: list[Dependency]
+    ) -> list[Vulnerability]:
+        """Check dependencies against vulnerability databases.
+
+        Args:
+            dependencies: List of dependencies to check.
+
+        Returns:
+            List of vulnerabilities found.
+        """
+        vulnerabilities = []
+
+        # Build package list for batch query
+        packages = [
+            (dep.name, dep.version)
+            for dep in dependencies
+            if dep.version is not None
+        ]
+
+        if not packages:
+            return vulnerabilities
+
+        # Query OSV for vulnerabilities
+        vuln_results = self.osv_client.query_batch(packages)
+
+        for dep in dependencies:
+            if dep.version is None:
+                continue
+
+            key = (dep.normalized_name, dep.version)
+            if key in vuln_results:
+                vulnerabilities.extend(vuln_results[key])
+
+        return vulnerabilities
+
+    def _find_dependency_files(self, directory: Path) -> list[Path]:
+        """Find all dependency files in a directory.
+
+        Args:
+            directory: Directory to search.
+
+        Returns:
+            List of dependency file paths.
+        """
+        files = []
+
+        for filename in self.DEPENDENCY_FILES:
+            # Check root directory
+            file_path = directory / filename
+            if file_path.exists():
+                files.append(file_path)
+
+            # Check subdirectories (one level deep)
+            for subdir in directory.iterdir():
+                if subdir.is_dir() and not subdir.name.startswith("."):
+                    sub_file = subdir / filename
+                    if sub_file.exists():
+                        files.append(sub_file)
+
+        return files
+
+    def _get_parser(self, file_type: str) -> Optional[DependencyParser]:
+        """Get the appropriate parser for a file type.
+
+        Args:
+            file_type: The filename or file type.
+
+        Returns:
+            Parser instance or None if unsupported.
+        """
+        filename = file_type.lower()
+
+        for parser_class in self.PARSERS:
+            if any(
+                supported.lower() in filename
+                for supported in parser_class.supported_filenames()
+            ):
+                return parser_class()
+
+        return None

security_use/fixers/__init__.py

@@ -0,0 +1,6 @@
+"""Fixer modules for security remediation."""
+
+from security_use.fixers.dependency_fixer import DependencyFixer
+from security_use.fixers.iac_fixer import IaCFixer
+
+__all__ = ["DependencyFixer", "IaCFixer"]