對于pip-audit
pip-audit是一款功效宏大的安定缺點(diǎn)掃描東西,該東西重要對準(zhǔn)Python情況,不妨扶助宏大接洽職員掃描和嘗試Python包中的已知安定缺點(diǎn)。pip-audit運(yùn)用了PythonPackagingAdvisory數(shù)據(jù)庫PyPIJSONAPI動作缺點(diǎn)匯報源。
功效引見
1、扶助對當(dāng)?shù)厍闆r和依附組件(requirements作風(fēng)文獻(xiàn))舉行安定審批;
2、扶助多種缺點(diǎn)效勞(PyPI、OSV);
3、扶助以CycloneDXXML或JSON***發(fā)送SBOM;
4、供給生人和呆板均可讀的輸入***(columnar、JSON);
5、無縫接入/重用當(dāng)?shù)豴ip緩存;
東西安置
pip-audit鑒于Python開拓,且訴求當(dāng)?shù)厍闆r為Python3.7或革新本子。安置并擺設(shè)好Python情況之后,就不妨運(yùn)用下列吩咐并經(jīng)過pip來安置pip-audit了:
python-mpipinstallpip-audit第三方包
pip-audit的平常運(yùn)轉(zhuǎn)須要運(yùn)用到多個第三方包,簡直組件包稱呼和本子如次圖所示:
除此除外,咱們還不妨經(jīng)過conda來安置pip-audit:
condainstall-cconda-forgepip-audit
東西運(yùn)用
咱們不妨徑直將pip-audit以獨(dú)力步調(diào)運(yùn)轉(zhuǎn),或經(jīng)過“python-m”運(yùn)轉(zhuǎn):
pip-audit--helppython-mpip_audit--helpusage:pip-audit[-h][-V][-l][-rREQUIREMENTS][-fFORMAT][-sSERVICE][-d][-S][--desc[{on,off,auto}]][--cache-dirCACHE_DIR][--progress-spinner{on,off}][--timeoutTIMEOUT][--pathPATHS][-v][--fix][--require-hashes]auditthePythonenvironmentfordependencieswithknownvulnerabilitiesoptionalarguments:-h,--helpshowthishelpmessageandexit-V,--versionshowprogram'sversionnumberandexit-l,--localshowonlyresultsfordependenciesinthelocalenvironment(default:False)-rREQUIREMENTS,--requirementREQUIREMENTSauditthegivenrequirementsfile;thisoptioncanbeusedmultipletimes(default:None)-fFORMAT,--formatFORMATtheformattoemitauditresultsin(choices:columns,json,cyclonedx-json,cyclonedx-xml)(default:columns)-sSERVICE,--vulnerability-serviceSERVICEthevulnerabilityservicetoauditdependenciesagainst(choices:osv,pypi)(default:pypi)-d,--dry-runwithout`--fix`:collectalldependenciesbutdonotperformtheauditingstep;with`--fix`:performtheauditingstepbutdonotperformanyfixes(default:False)-S,--strictfailtheentireauditifdependencycollectionfailsonanydependency(default:False)--desc[{on,off,auto}]includeadescriptionforeachvulnerability;`auto`defaultsto`on`forthe`json`format.Thisflaghasnoeffectonthe`cyclonedx-json`or`cyclonedx-xml`formats.(default:auto)--cache-dirCACHE_DIRthedirectorytouseasanHTTPcacheforPyPI;usesthe`pip`HTTPcachebydefault(default:None)--progress-spinner{on,off}displayaprogressspinner(default:on)--timeoutTIMEOUTsetthesockettimeout(default:15)--pathPATHSrestricttothespecifiedinstallationpathforauditingpackages;thisoptioncanbeusedmultipletimes(default:[])-v,--verbosegivemoreoutput;thissettingoverridesthe`PIP_AUDIT_LOGLEVEL`variableandisequivalenttosettingitto`debug`(default:False)--fixautomaticallyupgradedependencieswithknownvulnerabilities(default:False)--require-hashesrequireahashtocheckeachrequirementagainst,forrepeatableaudits;thisoptionisimpliedwhenanypackageinarequirementsfilehasa`--hash`option.(default:False)退出代碼
工作實(shí)行后,pip-audit將會退出運(yùn)轉(zhuǎn),并歸來一個代碼以表露其狀況,個中:
0:未檢驗(yàn)和測定到已知缺點(diǎn);
1:檢驗(yàn)和測定到了一個或多個已知缺點(diǎn);
東西運(yùn)用樣例
審批暫時Python情況中的依附:
$pip-auditNoknownvulnerabilitiesfound審批給定requirements文獻(xiàn)的依附:
$pip-audit-r./requirements.txtNoknownvulnerabilitiesfound審批一個requirements文獻(xiàn),并廢除體例包:
$pip-audit-r./requirements.txt-lNoknownvulnerabilitiesfound審批依附中創(chuàng)造的安定缺點(diǎn):
$pip-auditFound2knownvulnerabilitiesin1packageNameVersionIDFixVersions-------------------------------------Flask0.5PYSEC-2019-1791.0Flask0.5PYSEC-2018-660.12.3審批依附(包括刻畫):
$pip-audit--descFound2knownvulnerabilitiesin1packageNameVersionIDFixVersionsDescription---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Flask0.5PYSEC-2019-1791.0ThePalletsProjectFlaskbefore1.0isaffectedby:unexpectedmemoryusage.Theimpactis:denialofservice.Theattackvectoris:craftedencodedJSONdata.Thefixedversionis:1.NOTE:thismayoverlapCVE-2018-1000656.Flask0.5PYSEC-2018-660.12.3ThePalletsProjectflaskversionBefore0.12.3containsaCWE-20:ImproperInputValidationvulnerabilityinflaskthatcanresultinLargeamountofmemoryusagepossiblyleadingtodenialofservice.ThisattackappeartobeexploitableviaAttackerprovidesJSONdatainincorrectencoding.Thisvulnerabilityappearstohavebeenfixedin0.12.3.NOTE:thismayoverlapCVE-2019-1010083.審批JSON***依附:
$pip-audit-fjson|jqFound2knownvulnerabilitiesin1package[{"name":"flask","version":"0.5","vulns":[{"id":"PYSEC-2019-179","fix_versions":["1.0"],"description":"ThePalletsProjectFlaskbefore1.0isaffectedby:unexpectedmemoryusage.Theimpactis:denialofservice.Theattackvectoris:craftedencodedJSONdata.Thefixedversionis:1.NOTE:thismayoverlapCVE-2018-1000656."},{"id":"PYSEC-2018-66","fix_versions":["0.12.3"],"description":"ThePalletsProjectflaskversionBefore0.12.3containsaCWE-20:ImproperInputValidationvulnerabilityinflaskthatcanresultinLargeamountofmemoryusagepossiblyleadingtodenialofservice.ThisattackappeartobeexploitableviaAttackerprovidesJSONdatainincorrectencoding.Thisvulnerabilityappearstohavebeenfixedin0.12.3.NOTE:thismayoverlapCVE-2019-1010083."}]},{"name":"jinja2","version":"3.0.2","vulns":[]},{"name":"pip","version":"21.3.1","vulns":[]},{"name":"setuptools","version":"57.4.0","vulns":[]},{"name":"werkzeug","version":"2.0.2","vulns":[]},{"name":"markupsafe","version":"2.0.1","vulns":[]}]【一>一切資源關(guān)心我,私信恢復(fù)“材料”獲得<一】1、搜集安定進(jìn)修道路2、電子書本(白帽子)3、安定大廠里面視頻4、100份src文書檔案5、罕見安定口試題6、ctf大賽典范標(biāo)題領(lǐng)會7、全套東西包8、救急相應(yīng)條記
審批并試驗(yàn)機(jī)動審批生存缺點(diǎn)的依附:
$pip-audit--fixFound2knownvulnerabilitiesin1packageandfixed2vulnerabilitiesin1packageNameVersionIDFixVersionsAppliedFix------------------------------------------------------------------------------flask0.5PYSEC-2019-1791.0Successfullyupgradedflask(0.5=>1.0)flask0.5PYSEC-2018-660.12.3Successfullyupgradedflask(0.5=>1.0)承諾證和議
內(nèi)項(xiàng)手段開拓與頒布按照Apache2.0開源承諾證和議。
