對于pip-audit
pip-audit是一款功效宏大的安定缺點掃描東西,該東西重要對準Python情況,不妨扶助宏大接洽職員掃描和嘗試Python包中的已知安定缺點。pip-audit運用了PythonPackagingAdvisory數據庫PyPIJSONAPI動作缺點匯報源。
功效引見
1、扶助對當地情況和依附組件(requirements作風文獻)舉行安定審批;
2、扶助多種缺點效勞(PyPI、OSV);
3、扶助以CycloneDXXML或JSON***發送SBOM;
4、供給生人和呆板均可讀的輸入***(columnar、JSON);
5、無縫接入/重用當地pip緩存;
東西安置
pip-audit鑒于Python開拓,且訴求當地情況為Python3.7或革新本子。安置并擺設好Python情況之后,就不妨運用下列吩咐并經過pip來安置pip-audit了:
python-mpipinstallpip-audit第三方包
pip-audit的平常運轉須要運用到多個第三方包,簡直組件包稱呼和本子如次圖所示:
除此除外,咱們還不妨經過conda來安置pip-audit:
condainstall-cconda-forgepip-audit
東西運用
咱們不妨徑直將pip-audit以獨力步調運轉,或經過“python-m”運轉:
pip-audit--helppython-mpip_audit--helpusage:pip-audit[-h][-V][-l][-rREQUIREMENTS][-fFORMAT][-sSERVICE][-d][-S][--desc[{on,off,auto}]][--cache-dirCACHE_DIR][--progress-spinner{on,off}][--timeoutTIMEOUT][--pathPATHS][-v][--fix][--require-hashes]auditthePythonenvironmentfordependencieswithknownvulnerabilitiesoptionalarguments:-h,--helpshowthishelpmessageandexit-V,--versionshowprogram'sversionnumberandexit-l,--localshowonlyresultsfordependenciesinthelocalenvironment(default:False)-rREQUIREMENTS,--requirementREQUIREMENTSauditthegivenrequirementsfile;thisoptioncanbeusedmultipletimes(default:None)-fFORMAT,--formatFORMATtheformattoemitauditresultsin(choices:columns,json,cyclonedx-json,cyclonedx-xml)(default:columns)-sSERVICE,--vulnerability-serviceSERVICEthevulnerabilityservicetoauditdependenciesagainst(choices:osv,pypi)(default:pypi)-d,--dry-runwithout`--fix`:collectalldependenciesbutdonotperformtheauditingstep;with`--fix`:performtheauditingstepbutdonotperformanyfixes(default:False)-S,--strictfailtheentireauditifdependencycollectionfailsonanydependency(default:False)--desc[{on,off,auto}]includeadescriptionforeachvulnerability;`auto`defaultsto`on`forthe`json`format.Thisflaghasnoeffectonthe`cyclonedx-json`or`cyclonedx-xml`formats.(default:auto)--cache-dirCACHE_DIRthedirectorytouseasanHTTPcacheforPyPI;usesthe`pip`HTTPcachebydefault(default:None)--progress-spinner{on,off}displayaprogressspinner(default:on)--timeoutTIMEOUTsetthesockettimeout(default:15)--pathPATHSrestricttothespecifiedinstallationpathforauditingpackages;thisoptioncanbeusedmultipletimes(default:[])-v,--verbosegivemoreoutput;thissettingoverridesthe`PIP_AUDIT_LOGLEVEL`variableandisequivalenttosettingitto`debug`(default:False)--fixautomaticallyupgradedependencieswithknownvulnerabilities(default:False)--require-hashesrequireahashtocheckeachrequirementagainst,forrepeatableaudits;thisoptionisimpliedwhenanypackageinarequirementsfilehasa`--hash`option.(default:False)退出代碼
工作實行后,pip-audit將會退出運轉,并歸來一個代碼以表露其狀況,個中:
0:未檢驗和測定到已知缺點;
1:檢驗和測定到了一個或多個已知缺點;
東西運用樣例
審批暫時Python情況中的依附:
$pip-auditNoknownvulnerabilitiesfound審批給定requirements文獻的依附:
$pip-audit-r./requirements.txtNoknownvulnerabilitiesfound審批一個requirements文獻,并廢除體例包:
$pip-audit-r./requirements.txt-lNoknownvulnerabilitiesfound審批依附中創造的安定缺點:
$pip-auditFound2knownvulnerabilitiesin1packageNameVersionIDFixVersions-------------------------------------Flask0.5PYSEC-2019-1791.0Flask0.5PYSEC-2018-660.12.3審批依附(包括刻畫):
$pip-audit--descFound2knownvulnerabilitiesin1packageNameVersionIDFixVersionsDescription---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Flask0.5PYSEC-2019-1791.0ThePalletsProjectFlaskbefore1.0isaffectedby:unexpectedmemoryusage.Theimpactis:denialofservice.Theattackvectoris:craftedencodedJSONdata.Thefixedversionis:1.NOTE:thismayoverlapCVE-2018-1000656.Flask0.5PYSEC-2018-660.12.3ThePalletsProjectflaskversionBefore0.12.3containsaCWE-20:ImproperInputValidationvulnerabilityinflaskthatcanresultinLargeamountofmemoryusagepossiblyleadingtodenialofservice.ThisattackappeartobeexploitableviaAttackerprovidesJSONdatainincorrectencoding.Thisvulnerabilityappearstohavebeenfixedin0.12.3.NOTE:thismayoverlapCVE-2019-1010083.審批JSON***依附:
$pip-audit-fjson|jqFound2knownvulnerabilitiesin1package[{"name":"flask","version":"0.5","vulns":[{"id":"PYSEC-2019-179","fix_versions":["1.0"],"description":"ThePalletsProjectFlaskbefore1.0isaffectedby:unexpectedmemoryusage.Theimpactis:denialofservice.Theattackvectoris:craftedencodedJSONdata.Thefixedversionis:1.NOTE:thismayoverlapCVE-2018-1000656."},{"id":"PYSEC-2018-66","fix_versions":["0.12.3"],"description":"ThePalletsProjectflaskversionBefore0.12.3containsaCWE-20:ImproperInputValidationvulnerabilityinflaskthatcanresultinLargeamountofmemoryusagepossiblyleadingtodenialofservice.ThisattackappeartobeexploitableviaAttackerprovidesJSONdatainincorrectencoding.Thisvulnerabilityappearstohavebeenfixedin0.12.3.NOTE:thismayoverlapCVE-2019-1010083."}]},{"name":"jinja2","version":"3.0.2","vulns":[]},{"name":"pip","version":"21.3.1","vulns":[]},{"name":"setuptools","version":"57.4.0","vulns":[]},{"name":"werkzeug","version":"2.0.2","vulns":[]},{"name":"markupsafe","version":"2.0.1","vulns":[]}]【一>一切資源關心我,私信恢復“材料”獲得<一】1、搜集安定進修道路2、電子書本(白帽子)3、安定大廠里面視頻4、100份src文書檔案5、罕見安定口試題6、ctf大賽典范標題領會7、全套東西包8、救急相應條記
審批并試驗機動審批生存缺點的依附:
$pip-audit--fixFound2knownvulnerabilitiesin1packageandfixed2vulnerabilitiesin1packageNameVersionIDFixVersionsAppliedFix------------------------------------------------------------------------------flask0.5PYSEC-2019-1791.0Successfullyupgradedflask(0.5=>1.0)flask0.5PYSEC-2018-660.12.3Successfullyupgradedflask(0.5=>1.0)承諾證和議
內項手段開拓與頒布按照Apache2.0開源承諾證和議。
