Giter Site home page Giter Site logo

opeco17 / poetry-audit-plugin Goto Github PK

View Code? Open in Web Editor NEW
20.0 1.0 7.0 88 KB

Poetry plugin for checking vulnerabilities in dependencies ๐Ÿš€

License: MIT License

Python 98.84% Shell 1.16%
packaging poetry python python3 security vulnerability poetry-plugin

poetry-audit-plugin's Introduction

Poetry Audit Plugin

Poetry plugin for checking security vulnerabilities in dependencies based on safety.

$ poetry audit
Scanning 19 packages...

  โ€ข ansible-runner     installed 1.1.2  affected <1.3.1   CVE PVE-2021-36995
  โ€ข ansible-tower-cli  installed 3.1.8  affected <3.2.0   CVE CVE-2020-1733 
  โ€ข jinja2             installed 2.0    affected <2.11.3  CVE CVE-2020-28493

3 vulnerabilities found

Installation

The easiest way to install the audit plugin is via the self add command of Poetry.

poetry self add poetry-audit-plugin

If you used pipx to install Poetry you can add the plugin via the pipx inject command.

pipx inject poetry poetry-audit-plugin

Otherwise, if you used pip to install Poetry you can add the plugin packages via the pip install command.

pip install poetry-audit-plugin

Available options

  • --json: Export the result in JSON format.

  • --ignore-code: Ignore some vulnerabilities IDs. Receive a list of IDs. For example:

poetry audit --ignore-code=CVE-2022-42969,CVE-2020-10684
  • --ignore-package: Ignore some packages. Receive a list of packages. For example:
poetry audit --json --ignore-package=py,ansible-tower-cli
  • --proxy-protocol, --proxy-host, --proxy-port: Proxy to access Safety DB. For example:
poetry audit --proxy-protocol=http --proxy-host=localhost --proxy-port=3128
  • --cache-sec: How long Safety DB can be cached locally. For example:
poetry audit --cache-sec=60

Exit codes

poetry audit will exit with a code indicating its status.

  • 0: Vulnerabilities were not found.
  • 1: One or more vulnerabilities were found.
  • Others: Something wrong happened.

Develop poetry-audit-plugin

You can read this document to setup an environment to develop poetry-audit-plugin.

First step is to install Poetry. Please read official document and install Poetry in your machine.

Then, you can install dependencies of poetry-audit-plugin with the following command.

poetry install

Once you've done it, you can start developing poetry-audit-plugin. You can use test assets for the testing.

cd tests/assets/no_vulnerabilities
poetry shell
poetry audit

Please lint, format, and test your changes before creating pull request to keep the quality.

./scripts/lint.sh
./scripts/format.sh
./scripts/test.sh

Contribution

Help is always appreciated. Please feel free to create issue and pull request!

License

This project is licensed under the terms of the MIT license.

poetry-audit-plugin's People

Contributors

adriandsg avatar adrianlopezgue avatar franco0700 avatar opeco17 avatar samuelmahr avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

adrianlopezgue franco0700 ventrilok adriandsg mundanevision20 yamabook37 samuelmahr

poetry-audit-plugin's Issues

error running with poetry 1.8.0

The combination of

  • poetry-audit-plugin 0.3.0
  • poetry 1.8.0
  • python 3.11.6

leads to the following error:

$ poetry audit
No module named 'packaging.metadata'

pre-commit hook is not working

The plugin works fine

$ poetry audit
# poetry audit report

Loading...
Scanning 55 packages...

  โ€ข black  installed 24.2.0  affected <24.3.0  CVE CVE-2024-21503

1 vulnerabilities found in 1 packages

However, the pre-commit hook does not:

$ pre-commit run poetry-audit --all-files
poetry-audit.............................................................Failed
- hook id: poetry-audit
- exit code: 1

No arguments expected for "audit" command, got "src/somepackage/run_web_server.py"

No arguments expected for "audit" command, got "src/somepackage/py.typed"

No arguments expected for "audit" command, got "src/somepackage/models.py"

No arguments expected for "audit" command, got "tests/test_somepackage.py"

No arguments expected for "audit" command, got "somepackage.service"

No arguments expected for "audit" command, got "src/somepackage/crud/binary.py"

No arguments expected for "audit" command, got "src/somepackage/routers/__init__.py"

I have added the hook like this:

repos:
  - repo: https://github.com/opeco17/poetry-audit-plugin
    rev: d110f48c48c2c4af08fab18b7c0c66d5480a6855
    hooks:
      - id: poetry-audit

Ignore dev group dependencies

Currently dependencies from dev and other optional poetry groups are included in poetry audit output and there does not seem to be a way to remove them.

I discovered this when I added pytest as an optional dev dependency to my project.
I think poetry-audit should either ignore extra dependency groups by default or provide an option to do so like poetry show does: --without=dev

Add "pre-commit" support

What

I never did this by myself, but I believe this is simple.

How to: https://pre-commit.com/#new-hooks

Here is Flake8 example: https://github.com/PyCQA/flake8/blob/main/.pre-commit-hooks.yaml

One more example: https://github.com/koyeung/ko-poetry-audit-plugin#installation

Alternatives

Do nothing.
In such case, I will need to setup a mirror of your repository similar to a Mypy mirror https://github.com/pre-commit/mirrors-mypy
Or just use another tool which supports pre-commit.

Using --json raise local variable 'vulnerability_num' referenced before assignment

Command

poetry audit --json

Result

{
  "vulnerabilities": [
    {
      "name": "py",
      "installedVersion": "1.11.0",
      "vulns": [
        {
          "cve": "CVE-2022-42969",
          "affectedVersion": "<=1.11.0",
          "advisory": "Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\r\nhttps://github.com/pytest-dev/py/issues/287"
        }
      ]
    }
  ],
  "metadata": {
    "auditVersion": "0.2.0",
    "poetry.lock": {
      "updated": false,
      "fresh": true
    }
  }
}

local variable 'vulnerability_num' referenced before assignment

Bug

local variable 'vulnerability_num' referenced before assignment should not appear

`poetry audit` fails on poetry version 1.2.0b3

Issue

poetry audit fails due to:

Locker.locked_repository() takes 1 positional argument but 2 were given

Patching line 26 of command.py to remove the argument to self.poetry.locker.locked_repository resolves the issues.

Versions

Python: 3.10.0
Poetry: 1.2.0b3
Poetry Audit Plugin: 0.1.1
OS: Mac OS 12.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.