Security audit Python project dependencies against security advisory databases.

Overview

Test Coverage

        .         .    .      Skjold /skjɔl/
    ,-. | , . ,-. |  ,-|
    `-. |<  | | | |  | |      Security audit python project dependencies
    `-' ' ` | `-' `' `-´      against several security advisory databases.
           `'

Introduction

It currently supports fetching advisories from the following sources:

Source Name Notes
GitHub Advisory Database github
PyUP.io safety-db pyup
GitLab gemnasium-db gemnasium
PYPA Advisory Database pypa Experimental! Only supports ECOSYSTEM and SEMVER!
OSV.dev Database osv Experimental! Only supports ECOSYSTEM and SEMVER!
Sends package information to OSV.dev API.

No source is enabled by default! Individual sources can be enabled by setting sources list (see Configuration). There is (currently) no de-duplication meaning that using all of them could result in a lot of duplicates.

Motivation

Skjold was initially created for myself to replace safety. Which appears to no longer receive monthly updates (see pyupio/safety-db #2282). I wanted something I can run locally and use for my local or private projects/scripts.

I currently also use it during CI builds and before deploying/publishing containers or packages.

Installation

skjold can be installed from either PyPI or directly from Github using pip:

pip install skjold                                        # Install from PyPI
pip install git+https://github.com/twu/[email protected]  # Install from Github

This should provide a script named skjold that can then be invoked. See Usage.

Usage

$ pip list --format=freeze | skjold -v audit --sources gemnasium -

When running audit one can either provide a path to a frozen requirements.txt, a poetry.lock or a Pipfile.lock file. Alternatively, dependencies can also be passed in via stdin (formatted as package==version).

skjold will maintain a local cache (under cache_dir) that will expire automatically after cache_expires has passed. The cache_dir and cache_expires can be adjusted by setting them in tools.skjold section of the projects pyproject.toml (see Configuration for more details). The cache_dirwill be created automatically, and by default unless otherwise specified will be located under $HOME/.skjold/cache.

For further options please read skjold --help and/or skjold audit --help.

Examples

All examples involving github assume that SKJOLD_GITHUB_API_TOKEN is already set (see Github).

# Using pip list. Checking against GitHub only.
$ pip list --format=freeze | skjold audit -s github -

# Be verbose. Read directly from supported formats.
$ skjold -v audit requirements.txt
$ skjold -v audit poetry.lock
$ skjold -v audit Pipenv.lock

# Using poetry.
$ poetry export -f requirements.txt | skjold audit -s github -s gemnasium -s pyup -

# Using poetry, format output as json and pass it on to jq for additional filtering.
$ poetry export -f requirements.txt | skjold audit -o json -s github - | jq '.[0]'

# Using Pipenv, checking against Github
$ pipenv run pip list --format=freeze | skjold audit -s github -

# Checking a single package via stdin against Github and format findings as json.
$ echo "urllib3==1.23" | skjold audit -o json -r -s github -
[
  {
    "severity": "HIGH",
    "name": "urllib3",
    "version": "1.23",
    "versions": "<1.24.2",
    "source": "github",
    "summary": "High severity vulnerability that affects urllib3",
    "references": [
      "https://nvd.nist.gov/vuln/detail/CVE-2019-11324"
    ],
    "url": "https://github.com/advisories/GHSA-mh33-7rrq-662w"
  }
]

# Checking a single package via stdin against Gemnasium and report findings (`-o cli`).
$ echo "urllib3==1.23" | skjold audit -o cli -r -s gemnasium -

urllib3==1.23 (<=1.24.2) via gemnasium

CRLF injection. In the urllib3 library for Python, CRLF injection is possible
if the attacker controls the request parameter.
https://nvd.nist.gov/vuln/detail/CVE-2019-11236
--

urllib3==1.23 (<1.24.2) via gemnasium

Weak Authentication Caused By Improper Certificate Validation. The urllib3
library for Python mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates, which results
in SSL connections succeeding in situations where a verification failure is the
correct outcome. This is related to use of the `ssl_context`, `ca_certs`, or
`ca_certs_dir` argument.
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
--

urllib3==1.23 (<1.25.9) via gemnasium

Injection Vulnerability. urllib3 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting `CR` and `LF` control
characters in the first argument of `putrequest()`. NOTE: this is similar to
CVE-2020-26116.
https://nvd.nist.gov/vuln/detail/CVE-2020-26137
--

Ignore Findings

Findings can be ignored either by manually adding an entry using the sources identifier to a file named .skjoldignore (See Example) or by using in the CLI. Below are a few possible usage examples.

skjold audit -s pyup poetry.lock # ... or using -i/--ignore-file $ skjold audit -s pyup -i poetry.lock">
# Ignore PYSEC-2020-148 finding from PyPA source until a certain date with a specific reason.
$ skjold ignore urllib3 PYSEC-2020-148 --reason "Very good reason." --expires "2021-01-01T00:00:00+00:00"
Ignore urllib3 in PYSEC-2020-148 until 2021-01-01 00:00:00+00:00?
Very good reason.
--
Add to '.skjoldignore'? [y/N]: y

# Ignore PYSEC-2020-148 finding from PyPA source for 7 days with "No immediate remediation." reason.
$ skjold ignore urllib3 PYSEC-2020-148
Ignore urllib3 in PYSEC-2020-148 until ...?
No immediate remediation.
--
Add to '.skjoldignore'? [y/N]: y

# Audit `poetry.lock` using a custom `.skjoldignore` file location via `ENV`...
$ SKJOLD_IGNORE_FILE=
    
      skjold audit -s pyup poetry.lock

# ... or using -i/--ignore-file
$ skjold audit -s pyup -i 
     
       poetry.lock

     
    

Configuration

skjold can read its configuration from the tools.skjold section of a projects pyproject.toml. Arguments specified via the command-line should take precedence over any configured or default value.

[tool.skjold]
sources = ["github", "pyup", "gemnasium"]  # Sources to check against.
report_only = true                         # Report only, always exit with zero.
report_format = 'json'                     # Output findings as `json`. Default is 'cli'.
cache_dir = '.skjold_cache'                # Cache location (default: `~/.skjold/cache`).
cache_expires = 86400                      # Cache max. age.
ignore_file = '.skjoldignore'              # Ignorefile location (default `.skjoldignore`).
verbose = true                             # Be verbose.

To take a look at the current configuration / defaults run:

$ skjold config
sources: ['pyup', 'github', 'gemnasium']
report_only: True
report_format: json
verbose: False
cache_dir: .skjold_cache
cache_expires: 86400
ignore_file = '.skjoldignore'

Github

For the github source to work you'll need to provide a Github API Token via an ENV variable named SKJOLD_GITHUB_API_TOKEN. You can create a new Github Access Token here. You do not have to give it any permissions as it is only required to query the GitHub GraphQL API v4 API.

Version Control Integration

To use skjold with the excellent pre-commit framework add the following to the projects .pre-commit-config.yaml after installation.

repos:
  - repo: https://github.com/twu/skjold
    rev: vX.X.X
    hooks:
    - id: skjold
      verbose: true  # Important if used with `report_only`, see below.

After running pre-commit install the hook should be good to go. To configure skjold in this scenario I recommend adding the entire configuration to the projects pyproject.toml instead of manipulating the hook args. See this projects pyproject.toml for an example.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

You could run pre-commit run skjold --all-files manually in your workflow/scripts or run skjold manually. If you have a better solution please let me know!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Comments
  • Bump pytest-mock from 3.9.0 to 3.10.0

    Bump pytest-mock from 3.9.0 to 3.10.0

    Bumps pytest-mock from 3.9.0 to 3.10.0.

    Release notes

    Sourced from pytest-mock's releases.

    v3.10.0

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls (#319).
    Changelog

    Sourced from pytest-mock's changelog.

    3.10.0 (2022-10-05)

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls ([#319](https://github.com/pytest-dev/pytest-mock/issues/319)_).

    .. _#319: pytest-dev/pytest-mock#319

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 5
  • Pre-commit hook fails if multiple lock or requirements files are modified at same time

    Pre-commit hook fails if multiple lock or requirements files are modified at same time

    If you in your repo have multiple files that should be analyzed by skjold and use it as a pre-commit hook, the hook fails if you modify multiple lock/requirements files in the same commit.

    The reason to the problem is that pre-commit tries to invoke skjold audit with multiple files as arguments at once and the skjold audit command only accepts one file at a time.

    A minimal POC can be obtained by just creating an empty git repo (mkdir skjold-poc; cd skjold-poc; git init), enabling pre-commit (pre-commit install), adding a .pre-commit-config.yaml containing

    repos:
      - repo: https://github.com/twu/skjold
        rev: v0.4.1
        hooks:
        - id: skjold
          verbose: true
    

    and then creating two (or more) requirements files (touch requirements.txt requirements-dev.txt) and then running git add .

    If you then try to commit with git commit -m "Adding requirements files" you will be greeted with an error saying: Error: Got unexpected extra argument (requirements.txt). If you add even more different lock files or requirements-something.txt files the message will be expanded with more extra arguments.

    It's probably not that common people would have both poetry.lock and Pipfile.lock files, but possible people want to have multiple requirements.txt files (one for dev and one for prod) or multiple lock files in different directories of the same repo and get them all analyzed. It's of course possible to somewhat well avoid the problem by modifying only one lock file at a time, but the same issue also affects pre-commit run --all-files that will scan all the matched files regardless of if they've been changed or not.

    bug 
    opened by joakimnordling 4
  • More flexibility in requirements.txt format

    More flexibility in requirements.txt format

    If a requirements file has anything extra, this error is raised:

      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/cli.py", line 169, in audit_
        packages = extract_package_list_from(config, file, file_format)
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 80, in extract_package_list_from
        for package in reader_func(file):
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 47, in read_requirements_txt_from
        package_name, package_version = line.strip().split(" ")[0].split("==")
    ValueError: not enough values to unpack (expected 2, got 1)
    

    The most common example that can cause this is # for comments.

    I also have requirements.txt files with hashes specified and spanning multiple lines, like this:

    beautifulsoup4==4.8.0 \
        --hash=sha256:05668158c7b85b791c5abde53e50265e16f98ad601c402ba44d70f96c4159612 \
        --hash=sha256:25288c9e176f354bf277c0a10aa96c782a6a18a17122dba2e8cec4a97e03343b \
        --hash=sha256:f040590be10520f2ea4c2ae8c3dae441c7cfff5308ec9d58a0ec0c1b8f81d469
    

    There are other things that can be in a valid requiremens.txt file too, like extra pip options. https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format

    These can all be worked around by massaging the requirements file first and passing it as stdin something like: cat requirements.txt | sed 's/#.*//' | skjold audit -s gemnasium - But it would be very handy for skjold to handle any requirements.txt file that is valid for pip

    enhancement 
    opened by brondsem 4
  • Invalid specifier error

    Invalid specifier error

    Hi @twu !! I got the bellow error. Can I help to fix this?

    specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

    opened by Bernardoow 3
  • Bump coverage from 7.0.0 to 7.0.1

    Bump coverage from 7.0.0 to 7.0.1

    Bumps coverage from 7.0.0 to 7.0.1.

    Changelog

    Sourced from coverage's changelog.

    Version 7.0.1 — 2022-12-23

    • When checking if a file mapping resolved to a file that exists, we weren't considering files in .whl files. This is now fixed, closing issue 1511_.

    • File pattern rules were too strict, forbidding plus signs and curly braces in directory and file names. This is now fixed, closing issue 1513_.

    • Unusual Unicode or control characters in source files could prevent reporting. This is now fixed, closing issue 1512_.

    • The PyPy wheel now installs on PyPy 3.7, 3.8, and 3.9, closing issue 1510_.

    .. _issue 1510: nedbat/coveragepy#1510 .. _issue 1511: nedbat/coveragepy#1511 .. _issue 1512: nedbat/coveragepy#1512 .. _issue 1513: nedbat/coveragepy#1513

    .. _changes_7-0-0:

    Commits
    • c5cda3a docs: releases take a little bit longer now
    • 9d4226e docs: latest sample HTML report
    • 8c77758 docs: prep for 7.0.1
    • da1b282 fix: also look into .whl files for source
    • d327a70 fix: more information when mapping rules aren't working right.
    • 35e249f fix: certain strange characters caused reporting to fail. #1512
    • 152cdc7 fix: don't forbid plus signs in file names. #1513
    • 31513b4 chore: make upgrade
    • 873b059 test: don't run tests on Windows PyPy-3.9
    • 5c5caa2 build: PyPy wheel now installs on 3.7, 3.8, and 3.9. #1510
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 3
  • Allow ignoring CVEs

    Allow ignoring CVEs

    Motivation: One might need a way to ignore a vulnerability

    • temporarily until a migration to a new library would take place so that safety check does not fail every day until you migrate
    • permanently for example, if you faced a CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2020-28463
    enhancement 
    opened by micheller 3
  • report-only and report_format not implemented ?

    report-only and report_format not implemented ?

    Hello, Thanks for this program. I do tried the report_only mode with report_format as json but cannot make it work, it seems the program just ignore it. I check a bit into the code but i didn't found the part of the code that does make these parameter work, so i'm thinking that maybe an unimplemented feature ?

    bug 
    opened by inkhey 3
  • `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    Reproducible sample

    SKJOLD_GITHUB_API_TOKEN=<YOUR_TOKEN> skjold -v audit poetry.lock -s pyup -s gemnasium -s pypa -s osv -s github
    

    Versions

    skjold, version 0.5.1

    Related source code

    https://github.com/twu/skjold/blob/1de5a6696d78b846a7eadbf8f7cf20f20ac31a2b/src/skjold/tasks.py#L60

    Possible fix

    Check CLI arguments before raising the warning.

    opened by AIGeneratedUsername 2
  • pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits started failing in the past day or so. Here's an example:

    $ rm -rf .skjold_cache/
    $ echo 'bottle==0.12.23' | skjold audit -s pypa -
    Warning: No 'pyproject.toml' found!
    Traceback (most recent call last):
      File "../env/bin/skjold", line 8, in <module>
        sys.exit(cli())
      File "../env/lib/python3.7/site-packages/click/core.py", line 1130, in __call__
        return self.main(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1055, in main
        rv = self.invoke(ctx)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1657, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "../env/lib/python3.7/site-packages/click/core.py", line 1404, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/decorators.py", line 84, in new_func
        return ctx.invoke(f, obj, *args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/skjold/cli.py", line 184, in audit_
        findings = audit(config, packages, ignore=ignore)
      File "../env/lib/python3.7/site-packages/skjold/tasks.py", line 225, in audit
        if source.has_security_advisory_for(dependency):
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 65, in has_security_advisory_for
        return dependency.canonical_name in self.advisories.keys()
      File "../env/lib/python3.7/site-packages/skjold/core.py", line 123, in advisories
        self.populate_from_cache()
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 43, in populate_from_cache
        doc = yaml.load(obj_fh, Loader=yaml.SafeLoader)
      File "../env/lib/python3.7/site-packages/yaml/__init__.py", line 81, in load
        return loader.get_single_data()
      File "../env/lib/python3.7/site-packages/yaml/constructor.py", line 49, in get_single_data
        node = self.get_single_node()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 36, in get_single_node
        document = self.compose_document()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 55, in compose_document
        node = self.compose_node(None, None)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 84, in compose_node
        node = self.compose_mapping_node(anchor)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 127, in compose_mapping_node
        while not self.check_event(MappingEndEvent):
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 98, in check_event
        self.current_event = self.state()
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 428, in parse_block_mapping_key
        if self.check_token(KeyToken):
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 116, in check_token
        self.fetch_more_tokens()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 223, in fetch_more_tokens
        return self.fetch_value()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 579, in fetch_value
        self.get_mark())
    yaml.scanner.ScannerError: mapping values are not allowed here
      in ".skjold_cache/pypa.cache", line 2, column 98
    
    source:osv 
    opened by brondsem 2
  • Links to pyup.io point to 404 page

    Links to pyup.io point to 404 page

    Here's an example of an issue reported by skjold:

    cryptography==38.0.1 (<39.0.0) via pyup as pyup.io-51159 found in poetry.lock
    
    Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these
    versions are not receiving security support anymore.
    https://pyup.io/pyup.io-51159
    

    The link at the last line points to https://pyup.io/pyup.io-51159, however it should point to https://pyup.io/vulnerabilities/CVE-2021-41581/51159/

    It's likely appending the id instead of the more_info_path to the domain when constructing the link.

    bug source:pyup 
    opened by joakimnordling 2
  • Pre-commit hooks only checks files in root of repo

    Pre-commit hooks only checks files in root of repo

    The pattern for files in .pre-commit-hooks.yaml are set up to only check any poetry.lock, Pipfile.lock and requirements*.txt files in the root of the repo. However it's not really uncommon that you have such files elsewhere in the repo. I'd suggest changing the pattern so that it'll scan such files elsewhere as well.

    If you agree on the idea, I can create a PR, or you can just update the line to be: files: (^|/)(poetry\.lock|Pipfile\.lock|requirements.*\.txt)$

    bug 
    opened by joakimnordling 2
  • Bump actions/checkout from 3.2.0 to 3.3.0

    Bump actions/checkout from 3.2.0 to 3.3.0

    Bumps actions/checkout from 3.2.0 to 3.3.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.3.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.2.0...v3.3.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
Releases(v0.6.1)
  • v0.6.1(Dec 11, 2022)

    Bugfix/Maintenance release.

    What's Changed

    • CLI: Remove duplicate error/warning when sources are passed via CLI instead. (#163). Thanks @AIGeneratedUsername!
    • Dependencies: Support packaging >=21,<23.0. (#162). Thanks @whardier!
    • Dependencies: Bump types-toml from 0.10.8 to 0.10.8.1 (#156)
    • Dependencies: Bump mypy from 0.990 to 0.991 (#157)
    • Actions: Bump actions/setup-python from 4.3.0 to 4.3.1 (#160)

    Full Changelog: https://github.com/twu/skjold/compare/v0.6.0...v0.6.1

    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Nov 11, 2022)

    Feature release.

    This release breaks .skjoldignore files when containing PyUP identifiers (See #148). You might need to re-add them to the ignore file using the CVE or new PyUP identifier.

    Changes

    • PyUP: Use 'cve' field as 'pyup' identifier. (#149). Thanks @joakimnordling!
    • Dependencies: Bump mypy from 0.981 to 0.982 (#141)
    • Dependencies: Bump black from 22.8.0 to 22.10.0 (#144)
    • Dependencies: Bump pytest-mock from 3.9.0 to 3.10.0 (#143)
    • Dependencies: Bump pytest from 7.1.3 to 7.2.0 (#146)
    • Dependencies: Bump types-pyyaml from 6.0.12 to 6.0.12.1 (#147)
    • Dependencies: Bump pytest-sugar from 0.9.5 to 0.9.6 (#151)
    • Dependencies: Bump mypy from 0.982 to 0.990 (#152)
    • Dependencies: Bump types-pyyaml from 6.0.12.1 to 6.0.12.2 (#153)
    • Actions: Bump actions/checkout from 3.0.2 to 3.1.0 (#142)
    • Actions: Bump actions/setup-python from 4.2.0 to 4.3.0 (#145)

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.1...v0.6.0

    Source code(tar.gz)
    Source code(zip)
  • v0.5.1(Oct 3, 2022)

    Hotfix release.

    Changes

    • PyUP: Use more_info_path to create correct pyup.io URLs (https://github.com/twu/skjold/pull/140). Thanks @joakimnordling!
    • Dependencies: Bump types-pyyaml from 6.0.9 to 6.0.12 (https://github.com/twu/skjold/pull/134).
    • Dependencies: Bump types-toml from 0.10.7 to 0.10.8 (https://github.com/twu/skjold/pull/124).
    • Actions: Bump coverage from 6.4.1 to 6.5.0 (https://github.com/twu/skjold/pull/138).
    • Actions: Bump actions/setup-python from 4.0.0 to 4.2.0 (https://github.com/twu/skjold/pull/128, https://github.com/twu/skjold/pull/122).

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.0...v0.5.1

    Source code(tar.gz)
    Source code(zip)
  • v0.5.0(Jul 2, 2022)

    Feature / Hotfix release.

    Breaking: This version drops support for Python 3.6 (#117) and adds the filename to both output formats (#118).

    Changes

    • Packaging: Switch to poetry-core (#91). Thanks @fabaff!
    • Gemnasium: Properly handle false positives/withdrawn CVEs marked with (,0) (#90). Thanks @stesix!
    • OSV: Support latest OSV/PyPA schema (only using ECOSYSTEM + versions) (#115). Thanks @Kurt-von-Laven!
    • Feature: Support handling multiple input files (#118). Thanks @joakimnordling!
    • Actions: Bump actions/checkout from 2.3.4 to 2.4.0 (#82).
    • Actions: Bump actions/setup-python from 2.2.2 to 2.3.2 (#93).
    • Breaking: Drops support for Python 3.6 (#117)

    Full Changelog: https://github.com/twu/skjold/compare/v0.4.1...v0.5.0

    Source code(tar.gz)
    Source code(zip)
  • v0.4.1(Aug 9, 2021)

    Hotfix release.

    Changes

    • Github: Properly parse/handle github fixed version specifiers e.g. = 1.4.2. Fixes #61. Thanks @brondsem!
    • Github: Show correct environment variable name if Github API Token is not defined. See #62. Thanks @markus-k!
    Source code(tar.gz)
    Source code(zip)
  • v0.4.0(Aug 8, 2021)

    Feature/Maintenance release.

    Important!: From this release onwards skjold depends on/uses packaging instead of poetry-semver (See #52 for details).

    Changes

    • Use packaging for parsing versions instead of poetry-semver. See #52
    • Display helpful message if Github Token is not found/set when using the github source. See #56
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.3.2(Jun 21, 2021)

    Bugfix release.

    Changes

    • Removing verbose flag from .pre-commit-hook.yaml as it is only supposed to be used during debugging. See Comment Thanks @asottile!
    • Bump types-pyyaml from 0.1.9 to 5.4.3 (#49)
    Source code(tar.gz)
    Source code(zip)
  • v0.3.1(Jun 20, 2021)

  • v0.3.0(Jun 20, 2021)

    Feature / Maintenance release.

    Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

    Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

    Breaking Changes

    • CLI: skjold will now always write the number of ignored findings and vulnerable packages to stderr. The rest of the output json or cli are still written to stdout for easier redirection.

    Changes

    • CLI: Temporarily or permanently ignore findings based on their source identifiers added to .skjoldignore. (See #47) Thanks @micheller!
    • CLI: skjold now outputs ignored findings when using cli or json output formats.
    • OSV/PyPA Advisory DB: Initial support for using either osv or pypa as sources. (See #45)
    • CLI: Advisories with additional references are added to the cli output if present.
    • Bumps mypy to 0.902
      • Moves mypy.ini to pyproject.toml.
      • Adds types-toml and types-PyYAML as dev dependencies.
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.1(Feb 1, 2021)

    Bugfix / Maintenance release.

    Changes

    • Gemnasium: Assume all versions are affected if 'affected_versions' string is empty. (#30). Thanks @dermoumi!
    • Bump pyyaml from 5.3.1 to 5.4.1 (#24, #26)
    • Bump coverage from 5.3.1 to 5.4 (#29)
    • Bump pytest from 6.2.1 to 6.2.2 (#28)
    • Bump mypy from 0.790 to 0.800 (#27)
    • Bump pytest-cov from 2.10.1 to 2.11.1 (#23, #25)
    • Bump pytest-mock from 3.4.0 to 3.5.1 (#21, #22)
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0(Jan 2, 2021)

    Bugfix / Feature release.

    Changes

    • Refactored CLI.
    • Fix issue with CLI defaults overriding already set values. Fixes #11. Thanks @inkhey!
    • Add py.typed marker file (PEP 561).
    • Replaced tomlkit with the more commonly used toml.
    • Replaced requests with urllib from the standard library.
    • Remove pytest-env since it is unused.
    • Use latest actions/checkout and actions/setup-python in test workflow.
    • Dependencies are now updated by dependabot.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.6(Oct 5, 2020)

    Bugfix / Maintenance release.

    Changes

    • Update README.md. Fix for wrong option name in documentation. Thanks @endwaa ! (#7)
    • Properly handle PyUp $meta field when populating advisories from cache. (#8)
    • Set pre-commit default python interpreter from 3.7 to 3.8.
    • Start testing against 3.9.0-rc2.
    • Use latest actions/checkout@v2 and actions/setup-python@v2 in test workflow.
    • Update pre-commit hook (v2.5.0 -> v3.2.0) and black hook (19.10b0 -> 20.8b1) repositories.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.5(Mar 4, 2020)

    Feature release.

    Changes

    • Determine severity (Base Score) using CVSS 2.0 / CVSS 3.x vectors from Gemnasium records.
    • Print Warning to stderr when failing to extract package and pinned version from a requirements.txt-formatted file. Thanks @brondsem! (#3)
    • Simplify pre-commit instructions. Thanks @asottile ! (#6)
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.4(Mar 1, 2020)

    Bugfix release.

    Changes

    • Fix #4: CLI crashes when given unknown severity level. Thanks @brondsem! (PR #5)
    • Use red instead of yellow for results with UNKNOWN severity from PyUP and Gemnasium where skjold is (currently) not able to extract or calculate the severity of the item.
    • Colorize results with UNKNOWN severity red instead of yellow.
    • Extend CLI coloring dictionary to cover CVSS v2.0 and CVSS v3.0 severity levels.
    • Set returned severity of PyUP results to 'UNKNOWN' as severity is not present in safety-db.
    • Start handling comments in requirements.txt. Thanks @brondsem!
    • Add bug tracker and changelog URLs to pyproject.toml.
    • Update README.md. Thanks @brondsem!
    • Extended tests.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.3(Feb 8, 2020)

    Bugfix release.

    Changes

    • Support for Python 3.6.
    • Type annotations for tests.

    Documentation

    • Fixed broken links in README.md. Thanks @ghtyrant!
    Source code(tar.gz)
    Source code(zip)
  • v0.1.2(Jan 29, 2020)

  • v0.1.1(Jan 26, 2020)

Owner
null
Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

pyup.io 1.4k Dec 30, 2022
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 41 Dec 30, 2022
Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Frank 3 Feb 7, 2022
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

vijay sahu 12 Dec 17, 2022
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

Red Hat Product Security 17 Nov 11, 2022
Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

zeze 1 Jan 13, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

null 26 Dec 26, 2022
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

null 1 Dec 11, 2021
Bandit is a tool designed to find common security issues in Python code.

A security linter from PyCQA Free software: Apache license Documentation: https://bandit.readthedocs.io/en/latest/ Source: https://github.com/PyCQA/ba

Python Code Quality Authority 4.8k Dec 31, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
Course: Information Security with Python

Curso: Segurança da Informação com Python Curso realizado atravès da Plataforma da Digital Innovation One Prof: Bruno Dias Conteúdo: Introdução aos co

Elizeu Barbosa Abreu 1 Nov 28, 2021
HTTP security headers for Flask

Talisman: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few co

Google Cloud Platform 854 Dec 30, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
Tools to make working the Arch Linux Security Tracker easier

This is a collection of Python scripts to make working with the Arch Linux Security Tracker easier.

Jonas Witschel 6 Jul 13, 2022
Writeups for wtf-CTF hosted by Manipal Information Security Team as part of Techweek2021- INCOGNITO

wtf-CTF_Writeups Table of Contents Table of Contents Crypto Misc Reverse Pwn Web Crypto wtf_Bot Author: Madjelly Join the discord server!You know how

null 6 Jun 7, 2021
GitHub Advance Security Compliance Action

advanced-security-compliance This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Sca

Mathew Payne 121 Dec 14, 2022