Ochrona检查您的开源依赖项是否存在漏洞
ochrona的Python项目详细描述
Ochrona是一个命令行工具,用于检查python项目依赖项中的漏洞。 Ochrona有一个免费层许可证,每月允许25次扫描。在
您可以在https://ochrona.dev注册API密钥。在
我们非常关注开发者体验(dx),如果您有任何反馈或遇到问题,请打开问题here。在
支持的文件类型
*requirements*.txtPipfile.lockpoetry.locksetup.py
安装
通过pip
pip install ochrona
通过pipenv
^{pr2}$配置
通过命令行args
| Arg | Description | Type | Example |
|---|---|---|---|
| ^{ | Ochrona API Key | str | abc123 |
| ^{ | Directory to recursively search for dependencies files to scan [.] | path | /User/me/my_project |
| ^{ | Single dependency file to scan | file | /User/me/my_project/requirements.txt |
| ^{ | Enable debug logging [False] | bool | True |
| ^{ | Silent mode [False] | bool | True |
| ^{ | The report type that's desired [BASIC] | str | XML |
| ^{ | Location for report output | path | /User/me/my_project/logs |
| ^{ | Exit with Code 0 regardless of vulnerability findings. [False] | bool | True |
| ^{ | Ignore a CVE or package | str | requests |
| ^{ | Include develop dependencies from Pipfile.lock [False] | bool | True |
| ^{ | The name of your project | str | "My Example Project |
| ^{ | Alert configuration for use with DADA. This is expressed as a json string | str | '{"alerting_addresses": "test@ohrona.dev", "alerting_rules": "not:boto3"}' |
via环境变量
^{tb2}$通过。奥克罗纳.yml
回购中包含一个空的.ochrona.yml文件。
示例:
# api_key: <your key>
# debug: true
# silent: false
# dir: .
# report_type: JSON
# report_location: .
# ignore: requests
# include_dev: false
# project_name: my_test_project
# alert_config:
# alerting_addresses: test@web.com
# alerting_rules: not:boto3
使用示例
完全默认模式
$ ochrona
这将从运行位置递归地搜索任何受支持的依赖项文件。它将输出BASIC中的规则
格式化为标准输出。如果发现任何已确认的漏洞,程序将以错误退出代码退出。在
Junit XML报告保存到文件
的标准错误代码$ ochrona --exit --report_type XML --output ./output
安全导入模式
在这种模式下,ochrona充当标准pip安装的安全包装器,以确保在安装之前包及其依赖项是安全的。此操作会针对Ochrona API先发制人地检查包,并且仅在未发现漏洞的情况下导入。它可以与基本包(即requests)一起使用,也可以与固定到一个精确版本的包(即requests==2.21.0)一起使用。在
$ ochrona --install <package_name>
报告
基本
Report 1 of 1
╞====================================================================================================╡
| Source: ./requirements.txt
╞====================================================================================================╡
| ⚠️ Vulnerability Detected!
╞----------------------------------------------------------------------------------------------------╡
| Package -- requests
╞----------------------------------------------------------------------------------------------------╡
| Installed Version -- requests==2.19.0
╞----------------------------------------------------------------------------------------------------╡
| CVE -- CVE-2018-18074
╞----------------------------------------------------------------------------------------------------╡
| Severity -- 9.8
╞----------------------------------------------------------------------------------------------------╡
| Affected Versions -- =0.0.1, =0.2.0, =0.2.1, =0.2.2, =0.2.3, =0.2.4, =0.3.0, =0.3.1, =0.3.2,
=0.3.3, =0.3.4, =0.4.0, =0.4.1, =0.5.0, =0.5.1, =0.6.0, =0.6.1, =0.6.2, =0.6.3, =0.6.4, =0.6.5,
=0.6.6, =0.7.0, =0.7.1, =0.7.2, =0.7.3, =0.7.4, =0.7.5, =0.7.6, =0.8.0, =0.8.1, =0.8.2, =0.8.3,
=0.8.4, =0.8.5, =0.8.6, =0.8.7, =0.8.8, =0.8.9, =0.9.0, =0.9.1, =0.9.2, =0.9.3, =0.10.0, =0.10.1,
=0.10.2, =0.10.3, =0.10.4, =0.10.5, =0.10.6, =0.10.7, =0.10.8, =0.11.0, =0.11.1, =0.11.2, =0.12.0,
=0.12.1, =0.13.0, =0.13.1, =0.13.2, =0.13.3, =0.13.4, =0.13.5, =0.13.6, =0.13.7, =0.13.8, =0.13.9,
=0.14.0, =0.14.1, =0.14.2, =1.0.0, =1.0.1, =1.0.2, =1.0.3, =1.0.4, =1.1.0, =1.2.0, =1.2.1, =1.2.2,
=1.2.3, =2.0, =2.0.0, =2.0.1, =2.1.0, =2.2.0, =2.2.1, =2.3.0, =2.4.0, =2.4.1, =2.4.2, =2.4.3,
=2.5.0, =2.5.1, =2.5.2, =2.5.3, =2.6.0, =2.6.1, =2.6.2, =2.7.0, =2.8.0, =2.8.1, =2.9.0, =2.9.1,
=2.9.2, =2.10.0, =2.11.0, =2.11.1, =2.12.0, =2.12.1, =2.12.2, =2.12.3, =2.12.4, =2.12.5, =2.13.0,
=2.14.0, =2.14.1, =2.14.2, =2.15.0, =2.15.1, =2.16.0, =2.16.1, =2.16.2, =2.16.3, =2.16.4, =2.16.5,
=2.17.0, =2.17.1, =2.17.2, =2.17.3, =2.18.0, =2.18.1, =2.18.2, =2.18.3, =2.18.4, =2.19.0,
=2.19.1
╞----------------------------------------------------------------------------------------------------╡
╞====================================================================================================╡
满
Report 1 of 1
╞====================================================================================================╡
| Source: ./tests/test_data/fail/requirements.txt
╞====================================================================================================╡
| ⚠️ Vulnerability Detected!
╞----------------------------------------------------------------------------------------------------╡
| Package -- requests
╞----------------------------------------------------------------------------------------------------╡
| Installed Version -- requests==2.19.0
╞----------------------------------------------------------------------------------------------------╡
| Reason -- Flagged as a confirmed vulnerability because version was an exact match for
dependency: requests
╞----------------------------------------------------------------------------------------------------╡
| CVE -- CVE-2018-18074
╞----------------------------------------------------------------------------------------------------╡
| Vulnerability Publish Date -- 2018-10-09T17:29Z
╞----------------------------------------------------------------------------------------------------╡
| Severity -- 9.8
╞----------------------------------------------------------------------------------------------------╡
| Description -- The Requests package before 2.20.0 for Python sends an HTTP Authorization
header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier
for remote attackers to discover credentials by sniffing the network.
╞----------------------------------------------------------------------------------------------------╡
| Affected Version(s) -- =0.0.1, =0.2.0, =0.2.1, =0.2.2, =0.2.3, =0.2.4, =0.3.0, =0.3.1,
=0.3.2, =0.3.3, =0.3.4, =0.4.0, =0.4.1, =0.5.0, =0.5.1, =0.6.0, =0.6.1, =0.6.2, =0.6.3, =0.6.4,
=0.6.5, =0.6.6, =0.7.0, =0.7.1, =0.7.2, =0.7.3, =0.7.4, =0.7.5, =0.7.6, =0.8.0, =0.8.1, =0.8.2,
=0.8.3, =0.8.4, =0.8.5, =0.8.6, =0.8.7, =0.8.8, =0.8.9, =0.9.0, =0.9.1, =0.9.2, =0.9.3, =0.10.0,
=0.10.1, =0.10.2, =0.10.3, =0.10.4, =0.10.5, =0.10.6, =0.10.7, =0.10.8, =0.11.0, =0.11.1, =0.11.2,
=0.12.0, =0.12.1, =0.13.0, =0.13.1, =0.13.2, =0.13.3, =0.13.4, =0.13.5, =0.13.6, =0.13.7, =0.13.8,
=0.13.9, =0.14.0, =0.14.1, =0.14.2, =1.0.0, =1.0.1, =1.0.2, =1.0.3, =1.0.4, =1.1.0, =1.2.0, =1.2.1,
=1.2.2, =1.2.3, =2.0, =2.0.0, =2.0.1, =2.1.0, =2.2.0, =2.2.1, =2.3.0, =2.4.0, =2.4.1, =2.4.2,
=2.4.3, =2.5.0, =2.5.1, =2.5.2, =2.5.3, =2.6.0, =2.6.1, =2.6.2, =2.7.0, =2.8.0, =2.8.1, =2.9.0,
=2.9.1, =2.9.2, =2.10.0, =2.11.0, =2.11.1, =2.12.0, =2.12.1, =2.12.2, =2.12.3, =2.12.4, =2.12.5,
=2.13.0, =2.14.0, =2.14.1, =2.14.2, =2.15.0, =2.15.1, =2.16.0, =2.16.1, =2.16.2, =2.16.3, =2.16.4,
=2.16.5, =2.17.0, =2.17.1, =2.17.2, =2.17.3, =2.18.0, =2.18.1, =2.18.2, =2.18.3, =2.18.4, =2.19.0,
=2.19.1
╞----------------------------------------------------------------------------------------------------╡
| References --
http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
https://access.redhat.com/errata/RHSA-2019:2035
https://bugs.debian.org/910766
https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
https://github.com/requests/requests/issues/4716
https://github.com/requests/requests/pull/4718
https://usn.ubuntu.com/3790-1/
https://usn.ubuntu.com/3790-2/
╞====================================================================================================╡
╞====================================================================================================╡
XML(Junit)
<?xml version="1.0" ?>
<testsuites>
<testsuite tests="84">
<properties>
<property name="source" value="./tests/test_data/fail/requirements.txt"/>
<property name="timestamp" value="2019-10-18T15:53:57.145247"/>
</properties>
<testcase classname="ochronaDependencyVulnCheck" name="requests==2.19.0">
<failure type="confirmed_vulnerability">The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.</failure>
</testcase>
<testcase classname="ochronaDependencyVulnCheck" name="Click==7.0"/>
<testcase classname="ochronaDependencyVulnCheck" name="Flask==1.1.1"/>
<testcase classname="ochronaDependencyVulnCheck" name="itsdangerous==1.1.0"/>
<testcase classname="ochronaDependencyVulnCheck" name="Jinja2==2.10.1"/>
<testcase classname="ochronaDependencyVulnCheck" name="MarkupSafe==1.1.1"/>
<testcase classname="ochronaDependencyVulnCheck" name="Werkzeug==0.15.4"/>
<testcase classname="ochronaDependencyVulnCheck" name="coverage"/>
...
<testcase classname="ochronaDependencyVulnCheck" name="python-dotenv"/>
</testsuite>
</testsuites>
JSON
{
"meta": {
"source": "./tests/test_data/fail/requirements.txt",
"timestamp": "2019-10-18T16:04:45.312481"
},
"findings": [
{
"owner": "python-requests",
"repo_url": "http://python-requests.org",
"ochrona_id": "595ace88-3240-468b-a2a3-331e2439e659",
"references": [
"http://docs.python-requests.org/en/master/community/updates/#release-and-version-history",
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html",
"https://access.redhat.com/errata/RHSA-2019:2035",
"https://bugs.debian.org/910766",
"https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff",
"https://github.com/requests/requests/issues/4716",
"https://github.com/requests/requests/pull/4718",
"https://usn.ubuntu.com/3790-1/",
"https://usn.ubuntu.com/3790-2/"
],
"cwe_id": "CWE-255",
"impact": {
"a": "HIGH",
"ac": "LOW",
"pr": "NONE",
"c": "HIGH",
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"i": "HIGH",
"impact_score": "5.9",
"cvss3_severity": "CRITICAL",
"cvss2_severity": "MEDIUM",
"s": "UNCHANGED",
"ui": "NONE",
"cvss2_score": "5.0",
"av": "NETWORK",
"exploitability_score": "3.9",
"cvss3_score": "9.8"
},
"description": "The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.",
"language": "python",
"ochrona_severity_score": "9.8",
"repository_summary": "Python HTTP for Humans.",
"license": "Apache 2.0",
"latest_version": "2.22.0",
"cve_id": "CVE-2018-18074",
"affected_versions": [
{
"version_value": "0.0.1",
"operator": "="
},
{
"version_value": "0.2.0",
"operator": "="
},
...
{
"version_value": "2.19.1",
"operator": "="
}
],
"name": "requests",
"publish_date": "2018-10-09T17:29Z",
"found_version": "requests==2.19.0",
"reason": "Flagged as a confirmed vulnerability because version was an exact match for dependency: requests"
}
]
}
- 项目
标签:
欢迎加入QQ群-->: 979659372
