uv-secure 0.1.0__tar.gz

uv_secure-0.1.0/.github/workflows/pre-commit.yml

@@ -0,0 +1,17 @@
+name: Pre-commit checks
+on:
+  pull_request:
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+      - name: Install pre-commit globally
+        run: uv tool install pre-commit --with pre-commit-uv --force
+      - name: Run pre-commit hooks
+        env:
+          SKIP: no-commit-to-branch  # Skip the main branch protection hook in CI
+        run: pre-commit run --all-files

uv_secure-0.1.0/.github/workflows/pytest.yml

@@ -0,0 +1,75 @@
+name: Pytest
+on:
+  pull_request:
+jobs:
+  pytest:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: ".python-version"
+      - name: Install the project
+        run: uv sync --all-extras --dev
+      - name: Run tests with Coverage
+        run: uv run pytest tests --cov=. --cov-report=term > coverage_summary.txt
+      - name: Prepare Comment Body
+        run: |
+          echo '### Coverage Report' >> comment_body.md
+          echo '```txt' >> comment_body.md
+          cat coverage_summary.txt >> comment_body.md
+          echo '' >> comment_body.md
+          echo '```' >> comment_body.md
+      - name: Find Coverage Report Comment
+        id: find-comment
+        uses: peter-evans/find-comment@v3
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: github-actions[bot]
+          body-includes: '### Coverage Report'
+      - name: Create or Update Coverage Comment
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body-path: comment_body.md
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          edit-mode: replace
+  pytest-additional-versions:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version:
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install the project
+        run: uv sync --all-extras --dev
+      - name: Run tests
+        run: uv run pytest tests

uv_secure-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,25 @@
+name: Release
+
+on:
+  push:
+    tags:
+      # Publish on any tag that looks like a semantic version e.g. 1.2.3
+      - '*.*.*'
+
+jobs:
+  pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+      - run: uv build
+      - name: Smoke test (wheel)
+        run: uv run --isolated --no-project -p 3.9 --with dist/*.whl tests/smoke_test.py
+      - name: Smoke test (source distribution)
+        run: uv run --isolated --no-project -p 3.9 --with dist/*.tar.gz tests/smoke_test.py
+      - run: uv publish --trusted-publishing always

uv_secure-0.1.0/.gitignore

@@ -0,0 +1,167 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.jupyter/
+.ipynb_checkpoints/
+*.ipynb
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+.idea/
+
+# VS Code
+.code/

uv_secure-0.1.0/.markdownlint.yaml

@@ -0,0 +1,19 @@
+# See rule descriptions here:
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md
+# See yaml schema here:
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+default: true
+
+MD013:
+  line_length: 88
+  heading_line_length: 88
+  code_block_line_length: 88
+  code_blocks: true
+  tables: true
+  headings: true
+  strict: false
+  stern: false
+
+MD035:
+  style: "---"

uv_secure-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,60 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/kynan/nbstripout
+    rev: 0.8.1
+    hooks:
+     - id: nbstripout
+       args: [--drop-empty-cells]
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-toml
+      - id: check-xml
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: no-commit-to-branch
+      - id: pretty-format-json
+        args: [--autofix]
+        exclude: '\.ipynb$'
+      - id: mixed-line-ending
+        args: [--fix=lf]
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.0
+    hooks:
+        - id: bandit
+          args: [ "-c", "pyproject.toml" ]
+          additional_dependencies: [ "bandit[toml]" ]
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.43.0
+    hooks:
+      - id: markdownlint
+        args: [--fix]
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.13.0
+    hooks:
+      - id: mypy
+        additional_dependencies:
+          - pydantic
+  - repo: https://github.com/charliermarsh/ruff-pre-commit
+    rev: v0.8.4
+    hooks:
+      - id: ruff-format
+        types_or: [python, pyi, jupyter]
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+        types_or: [python, pyi, jupyter]
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.28.4
+    hooks:
+      - id: typos
+        args: [
+          --force-exclude,
+          # --write-changes (Don't use this to stop typos making auto-corrections)
+        ]
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.35.1
+    hooks:
+      - id: yamllint

uv_secure-0.1.0/.python-version

@@ -0,0 +1 @@
+3.9

uv_secure-0.1.0/.yamllint

@@ -0,0 +1,4 @@
+extends: relaxed
+
+rules:
+  line-length: disable

uv_secure-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Owen Lamont
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

uv_secure-0.1.0/PKG-INFO

@@ -0,0 +1,110 @@
+Metadata-Version: 2.4
+Name: uv-secure
+Version: 0.1.0
+Summary: Scan your uv.lock file for dependencies with known vulnerabilities
+Project-URL: Repository, https://github.com/owenlamont/uv-secure
+Project-URL: Releases, https://github.com/owenlamont/uv-secure/releases
+Author-email: Owen Lamont <owenrlamont@gmail.com>
+License-File: LICENSE
+Keywords: uv,uv.lock,vulnerabilities
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Natural Language :: English
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Software Development :: Libraries
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.9
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: inflect>=7.4.0
+Requires-Dist: pydantic>=2.10.3
+Requires-Dist: rich>=13.9.4
+Requires-Dist: tomli; python_version < '3.11'
+Requires-Dist: typer>=0.15.1
+Provides-Extra: jupyter
+Requires-Dist: ipywidgets>=8.1.5; extra == 'jupyter'
+Requires-Dist: jupyterlab-code-formatter>=3.0.2; extra == 'jupyter'
+Requires-Dist: jupyterlab>=4.2.5; extra == 'jupyter'
+Requires-Dist: lckr-jupyterlab-variableinspector>=3.2.4; extra == 'jupyter'
+Requires-Dist: nbdime>=4.0.2; extra == 'jupyter'
+Requires-Dist: nbstripout>=0.7.1; extra == 'jupyter'
+Requires-Dist: notebook>=7.2.2; extra == 'jupyter'
+Requires-Dist: ruff>=0.6.4; extra == 'jupyter'
+Requires-Dist: tqdm>=4.66.6; extra == 'jupyter'
+Description-Content-Type: text/markdown
+
+# uv-secure
+
+Scan your uv.lock file for dependencies with known vulnerabilities
+
+## Usage
+
+After installation you can run uv-secure --help to see the options.
+
+```text
+>> uv-secure --help
+
+ Usage: uv-secure [OPTIONS]
+
+ Parse a uv.lock file, check vulnerabilities, and display summary.
+
+╭─ Options ────────────────────────────────────────────────────────────────────────────╮
+│ --uv-lock-path        -p      PATH  Path to the uv.lock file [default: uv.lock]      │
+│ --ignore              -i      TEXT  Comma-separated list of vulnerability IDs to     │
+│                                     ignore, e.g. VULN-123,VULN-456                   │
+│ --version                           Show the application's version                   │
+│ --install-completion                Install completion for the current shell.        │
+│ --show-completion                   Show completion for the current shell, to copy   │
+│                                     it or customize the installation.                │
+│ --help                              Show this message and exit.                      │
+╰──────────────────────────────────────────────────────────────────────────────────────╯
+```
+
+By default if run with no options uv-secure will look for a uv.lock file in the current
+working directory and scan that for known vulnerabilities. E.g.
+
+```text
+>> uv-secure
+Checking dependencies for vulnerabilities...
+╭──────────────────────────────────╮
+│ No vulnerabilities detected!     │
+│ Checked: 160 dependencies        │
+│ All dependencies appear safe! 🎉 │
+╰──────────────────────────────────╯
+```
+
+## Related Work and Motivation
+
+I created this package as I wanted a dependency vulnerability scanner but I wasn't
+completely happy with the options that seemed available. I use
+[uv](https://docs.astral.sh/uv/) and wanted something that works with uv.lock files but
+neither of the main package options I found fitted my requirements:
+
+- [pip-audit](https://pypi.org/project/pip-audit/) only works with requirements.txt
+  files but even if you convert a uv.lock file to a requirements.txt file, pip-audit
+  wants to create a whole virtual environment to check all transitive dependencies (but
+  that should be completely unnecessary when the lock file already contains the full
+  dependencies).
+- [safety](https://pypi.org/project/safety/) also doesn't work with uv.lock file out of
+  the box, it does apparently work statically without needing to build a virtual
+  environment but it does require you to create an account on the
+  [safety site](https://platform.safetycli.com/). They have some limited free account
+  but require a paid account to use seriously. If you already have a safety account
+  though there is a [uv-audit](https://pypi.org/project/uv-audit/) package that wraps
+  safety to support scanning uv.lock files.
+- [Python Security PyCharm Plugin](https://plugins.jetbrains.com/plugin/13609-python-security)
+  Lastly I was inspired by Anthony Shaw's Python Security plugin - which does CVE
+  dependency scanning within PyCharm.
+
+I build uv-secure because I wanted a CLI tool I could run with pre-commit. Statically
+analyse the uv.lock file without needing to create a virtual environment, and finally
+doesn't require you to create (and pay for) an account with any service.

uv_secure-0.1.0/README.md

@@ -0,0 +1,66 @@
+# uv-secure
+
+Scan your uv.lock file for dependencies with known vulnerabilities
+
+## Usage
+
+After installation you can run uv-secure --help to see the options.
+
+```text
+>> uv-secure --help
+
+ Usage: uv-secure [OPTIONS]
+
+ Parse a uv.lock file, check vulnerabilities, and display summary.
+
+╭─ Options ────────────────────────────────────────────────────────────────────────────╮
+│ --uv-lock-path        -p      PATH  Path to the uv.lock file [default: uv.lock]      │
+│ --ignore              -i      TEXT  Comma-separated list of vulnerability IDs to     │
+│                                     ignore, e.g. VULN-123,VULN-456                   │
+│ --version                           Show the application's version                   │
+│ --install-completion                Install completion for the current shell.        │
+│ --show-completion                   Show completion for the current shell, to copy   │
+│                                     it or customize the installation.                │
+│ --help                              Show this message and exit.                      │
+╰──────────────────────────────────────────────────────────────────────────────────────╯
+```
+
+By default if run with no options uv-secure will look for a uv.lock file in the current
+working directory and scan that for known vulnerabilities. E.g.
+
+```text
+>> uv-secure
+Checking dependencies for vulnerabilities...
+╭──────────────────────────────────╮
+│ No vulnerabilities detected!     │
+│ Checked: 160 dependencies        │
+│ All dependencies appear safe! 🎉 │
+╰──────────────────────────────────╯
+```
+
+## Related Work and Motivation
+
+I created this package as I wanted a dependency vulnerability scanner but I wasn't
+completely happy with the options that seemed available. I use
+[uv](https://docs.astral.sh/uv/) and wanted something that works with uv.lock files but
+neither of the main package options I found fitted my requirements:
+
+- [pip-audit](https://pypi.org/project/pip-audit/) only works with requirements.txt
+  files but even if you convert a uv.lock file to a requirements.txt file, pip-audit
+  wants to create a whole virtual environment to check all transitive dependencies (but
+  that should be completely unnecessary when the lock file already contains the full
+  dependencies).
+- [safety](https://pypi.org/project/safety/) also doesn't work with uv.lock file out of
+  the box, it does apparently work statically without needing to build a virtual
+  environment but it does require you to create an account on the
+  [safety site](https://platform.safetycli.com/). They have some limited free account
+  but require a paid account to use seriously. If you already have a safety account
+  though there is a [uv-audit](https://pypi.org/project/uv-audit/) package that wraps
+  safety to support scanning uv.lock files.
+- [Python Security PyCharm Plugin](https://plugins.jetbrains.com/plugin/13609-python-security)
+  Lastly I was inspired by Anthony Shaw's Python Security plugin - which does CVE
+  dependency scanning within PyCharm.
+
+I build uv-secure because I wanted a CLI tool I could run with pre-commit. Statically
+analyse the uv.lock file without needing to create a virtual environment, and finally
+doesn't require you to create (and pay for) an account with any service.