Security audit Python project dependencies against security advisory databases.

Last update: Dec 17, 2022

Overview

        .         .    .      Skjold /skjɔl/
    ,-. | , . ,-. |  ,-|
    `-. |<  | | | |  | |      Security audit python project dependencies
    `-' ' ` | `-' `' `-´      against several security advisory databases.
           `'

Introduction

It currently supports fetching advisories from the following sources:

Source	Name	Notes
GitHub Advisory Database	`github`
PyUP.io safety-db	`pyup`
GitLab gemnasium-db	`gemnasium`
PYPA Advisory Database	`pypa`	Experimental! Only supports `ECOSYSTEM` and `SEMVER`!
OSV.dev Database	`osv`	Experimental! Only supports `ECOSYSTEM` and `SEMVER`! Sends package information to OSV.dev API.

No source is enabled by default! Individual sources can be enabled by setting sources list (see Configuration). There is (currently) no de-duplication meaning that using all of them could result in a lot of duplicates.

Motivation

Skjold was initially created for myself to replace safety. ~~Which appears to no longer receive monthly updates (see pyupio/safety-db #2282)~~. I wanted something I can run locally and use for my local or private projects/scripts.

I currently also use it during CI builds and before deploying/publishing containers or packages.

Installation

skjold can be installed from either PyPI or directly from Github using pip:

pip install skjold                                        # Install from PyPI
pip install git+https://github.com/twu/[email protected]  # Install from Github

This should provide a script named skjold that can then be invoked. See Usage.

Usage

$ pip list --format=freeze | skjold -v audit --sources gemnasium -

When running audit one can either provide a path to a frozen requirements.txt, a poetry.lock or a Pipfile.lock file. Alternatively, dependencies can also be passed in via stdin (formatted as package==version).

skjold will maintain a local cache (under cache_dir) that will expire automatically after cache_expires has passed. The cache_dir and cache_expires can be adjusted by setting them in tools.skjold section of the projects pyproject.toml (see Configuration for more details). The cache_dirwill be created automatically, and by default unless otherwise specified will be located under $HOME/.skjold/cache.

For further options please read skjold --help and/or skjold audit --help.

Examples

All examples involving github assume that SKJOLD_GITHUB_API_TOKEN is already set (see Github).

# Using pip list. Checking against GitHub only.
$ pip list --format=freeze | skjold audit -s github -

# Be verbose. Read directly from supported formats.
$ skjold -v audit requirements.txt
$ skjold -v audit poetry.lock
$ skjold -v audit Pipenv.lock

# Using poetry.
$ poetry export -f requirements.txt | skjold audit -s github -s gemnasium -s pyup -

# Using poetry, format output as json and pass it on to jq for additional filtering.
$ poetry export -f requirements.txt | skjold audit -o json -s github - | jq '.[0]'

# Using Pipenv, checking against Github
$ pipenv run pip list --format=freeze | skjold audit -s github -

# Checking a single package via stdin against Github and format findings as json.
$ echo "urllib3==1.23" | skjold audit -o json -r -s github -
[
  {
    "severity": "HIGH",
    "name": "urllib3",
    "version": "1.23",
    "versions": "<1.24.2",
    "source": "github",
    "summary": "High severity vulnerability that affects urllib3",
    "references": [
      "https://nvd.nist.gov/vuln/detail/CVE-2019-11324"
    ],
    "url": "https://github.com/advisories/GHSA-mh33-7rrq-662w"
  }
]

# Checking a single package via stdin against Gemnasium and report findings (`-o cli`).
$ echo "urllib3==1.23" | skjold audit -o cli -r -s gemnasium -

urllib3==1.23 (<=1.24.2) via gemnasium

CRLF injection. In the urllib3 library for Python, CRLF injection is possible
if the attacker controls the request parameter.
https://nvd.nist.gov/vuln/detail/CVE-2019-11236
--

urllib3==1.23 (<1.24.2) via gemnasium

Weak Authentication Caused By Improper Certificate Validation. The urllib3
library for Python mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates, which results
in SSL connections succeeding in situations where a verification failure is the
correct outcome. This is related to use of the `ssl_context`, `ca_certs`, or
`ca_certs_dir` argument.
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
--

urllib3==1.23 (<1.25.9) via gemnasium

Injection Vulnerability. urllib3 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting `CR` and `LF` control
characters in the first argument of `putrequest()`. NOTE: this is similar to
CVE-2020-26116.
https://nvd.nist.gov/vuln/detail/CVE-2020-26137
--

Ignore Findings

Findings can be ignored either by manually adding an entry using the sources identifier to a file named .skjoldignore (See Example) or by using in the CLI. Below are a few possible usage examples.

skjold audit -s pyup poetry.lock # ... or using -i/--ignore-file $ skjold audit -s pyup -i poetry.lock">

# Ignore PYSEC-2020-148 finding from PyPA source until a certain date with a specific reason.
$ skjold ignore urllib3 PYSEC-2020-148 --reason "Very good reason." --expires "2021-01-01T00:00:00+00:00"
Ignore urllib3 in PYSEC-2020-148 until 2021-01-01 00:00:00+00:00?
Very good reason.
--
Add to '.skjoldignore'? [y/N]: y

# Ignore PYSEC-2020-148 finding from PyPA source for 7 days with "No immediate remediation." reason.
$ skjold ignore urllib3 PYSEC-2020-148
Ignore urllib3 in PYSEC-2020-148 until ...?
No immediate remediation.
--
Add to '.skjoldignore'? [y/N]: y

# Audit `poetry.lock` using a custom `.skjoldignore` file location via `ENV`...
$ SKJOLD_IGNORE_FILE=
    
      skjold audit -s pyup poetry.lock

# ... or using -i/--ignore-file
$ skjold audit -s pyup -i 
     
       poetry.lock

Configuration

skjold can read its configuration from the tools.skjold section of a projects pyproject.toml. Arguments specified via the command-line should take precedence over any configured or default value.

[tool.skjold]
sources = ["github", "pyup", "gemnasium"]  # Sources to check against.
report_only = true                         # Report only, always exit with zero.
report_format = 'json'                     # Output findings as `json`. Default is 'cli'.
cache_dir = '.skjold_cache'                # Cache location (default: `~/.skjold/cache`).
cache_expires = 86400                      # Cache max. age.
ignore_file = '.skjoldignore'              # Ignorefile location (default `.skjoldignore`).
verbose = true                             # Be verbose.

To take a look at the current configuration / defaults run:

$ skjold config
sources: ['pyup', 'github', 'gemnasium']
report_only: True
report_format: json
verbose: False
cache_dir: .skjold_cache
cache_expires: 86400
ignore_file = '.skjoldignore'

Github

For the github source to work you'll need to provide a Github API Token via an ENV variable named SKJOLD_GITHUB_API_TOKEN. You can create a new Github Access Token here. You do not have to give it any permissions as it is only required to query the GitHub GraphQL API v4 API.

Version Control Integration

To use skjold with the excellent pre-commit framework add the following to the projects .pre-commit-config.yaml after installation.

repos:
  - repo: https://github.com/twu/skjold
    rev: vX.X.X
    hooks:
    - id: skjold
      verbose: true  # Important if used with `report_only`, see below.

After running pre-commit install the hook should be good to go. To configure skjold in this scenario I recommend adding the entire configuration to the projects pyproject.toml instead of manipulating the hook args. See this projects pyproject.toml for an example.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

You could run pre-commit run skjold --all-files manually in your workflow/scripts or run skjold manually. If you have a better solution please let me know!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Comments

Bump pytest-mock from 3.9.0 to 3.10.0
Bumps pytest-mock from 3.9.0 to 3.10.0.

Release notes

Sourced from pytest-mock's releases.

v3.10.0

Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls (#319).

Changelog

Sourced from pytest-mock's changelog.

3.10.0 (2022-10-05)

Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls ([#319](https://github.com/pytest-dev/pytest-mock/issues/319)_).

.. _#319: pytest-dev/pytest-mock#319

Commits

6c03dfd Release 3.10.0

fbb5039 Implement selective un-spying and un-patching (#319)

a1c7421 [pre-commit.ci] pre-commit autoupdate (#321)

4f2703c Add Python 3.11 support (#320)

1e2001f Merge pull request #318 from willfrey/patch-2

798f07e [pre-commit.ci] pre-commit autoupdate (#317)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies python
opened by dependabot[bot] 5
Pre-commit hook fails if multiple lock or requirements files are modified at same time
If you in your repo have multiple files that should be analyzed by skjold and use it as a pre-commit hook, the hook fails if you modify multiple lock/requirements files in the same commit.

The reason to the problem is that pre-commit tries to invoke skjold audit with multiple files as arguments at once and the skjold audit command only accepts one file at a time.

A minimal POC can be obtained by just creating an empty git repo (mkdir skjold-poc; cd skjold-poc; git init), enabling pre-commit (pre-commit install), adding a .pre-commit-config.yaml containing

repos: - repo: https://github.com/twu/skjold rev: v0.4.1 hooks: - id: skjold verbose: true

and then creating two (or more) requirements files (touch requirements.txt requirements-dev.txt) and then running git add .

If you then try to commit with git commit -m "Adding requirements files" you will be greeted with an error saying: Error: Got unexpected extra argument (requirements.txt). If you add even more different lock files or requirements-something.txt files the message will be expanded with more extra arguments.

It's probably not that common people would have both poetry.lock and Pipfile.lock files, but possible people want to have multiple requirements.txt files (one for dev and one for prod) or multiple lock files in different directories of the same repo and get them all analyzed. It's of course possible to somewhat well avoid the problem by modifying only one lock file at a time, but the same issue also affects pre-commit run --all-files that will scan all the matched files regardless of if they've been changed or not.
bug
opened by joakimnordling 4

More flexibility in requirements.txt format

If a requirements file has anything extra, this error is raised:

  File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/cli.py", line 169, in audit_
    packages = extract_package_list_from(config, file, file_format)
  File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 80, in extract_package_list_from
    for package in reader_func(file):
  File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 47, in read_requirements_txt_from
    package_name, package_version = line.strip().split(" ")[0].split("==")
ValueError: not enough values to unpack (expected 2, got 1)

The most common example that can cause this is # for comments.

I also have requirements.txt files with hashes specified and spanning multiple lines, like this:

beautifulsoup4==4.8.0 \
    --hash=sha256:05668158c7b85b791c5abde53e50265e16f98ad601c402ba44d70f96c4159612 \
    --hash=sha256:25288c9e176f354bf277c0a10aa96c782a6a18a17122dba2e8cec4a97e03343b \
    --hash=sha256:f040590be10520f2ea4c2ae8c3dae441c7cfff5308ec9d58a0ec0c1b8f81d469

There are other things that can be in a valid requiremens.txt file too, like extra pip options. https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format

These can all be worked around by massaging the requirements file first and passing it as stdin something like: cat requirements.txt | sed 's/#.*//' | skjold audit -s gemnasium - But it would be very handy for skjold to handle any requirements.txt file that is valid for pip

enhancement

opened by brondsem 4

Invalid specifier error

Hi @twu !! I got the bellow error. Can I help to fix this?

specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

opened by Bernardoow 3
Bump coverage from 7.0.0 to 7.0.1
Bumps coverage from 7.0.0 to 7.0.1.

Changelog

Sourced from coverage's changelog.

Version 7.0.1 — 2022-12-23

When checking if a file mapping resolved to a file that exists, we weren't considering files in .whl files. This is now fixed, closing issue 1511_.

File pattern rules were too strict, forbidding plus signs and curly braces in directory and file names. This is now fixed, closing issue 1513_.

Unusual Unicode or control characters in source files could prevent reporting. This is now fixed, closing issue 1512_.

The PyPy wheel now installs on PyPy 3.7, 3.8, and 3.9, closing issue 1510_.

.. _issue 1510: nedbat/coveragepy#1510 .. _issue 1511: nedbat/coveragepy#1511 .. _issue 1512: nedbat/coveragepy#1512 .. _issue 1513: nedbat/coveragepy#1513

.. _changes_7-0-0:

Commits

c5cda3a docs: releases take a little bit longer now

9d4226e docs: latest sample HTML report

8c77758 docs: prep for 7.0.1

da1b282 fix: also look into .whl files for source

d327a70 fix: more information when mapping rules aren't working right.

35e249f fix: certain strange characters caused reporting to fail. #1512

152cdc7 fix: don't forbid plus signs in file names. #1513

31513b4 chore: make upgrade

873b059 test: don't run tests on Windows PyPy-3.9

5c5caa2 build: PyPy wheel now installs on 3.7, 3.8, and 3.9. #1510

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies python
opened by dependabot[bot] 3
Allow ignoring CVEs
Motivation: One might need a way to ignore a vulnerability

temporarily until a migration to a new library would take place so that safety check does not fail every day until you migrate

permanently for example, if you faced a CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2020-28463

enhancement
opened by micheller 3
report-only and report_format not implemented ?

Hello, Thanks for this program. I do tried the report_only mode with report_format as json but cannot make it work, it seems the program just ignore it. I check a bit into the code but i didn't found the part of the code that does make these parameter work, so i'm thinking that maybe an unimplemented feature ?
bug

opened by inkhey 3
`Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI
Reproducible sample

SKJOLD_GITHUB_API_TOKEN=<YOUR_TOKEN> skjold -v audit poetry.lock -s pyup -s gemnasium -s pypa -s osv -s github

Versions

skjold, version 0.5.1

Related source code

https://github.com/twu/skjold/blob/1de5a6696d78b846a7eadbf8f7cf20f20ac31a2b/src/skjold/tasks.py#L60

Possible fix

Check CLI arguments before raising the warning.
opened by AIGeneratedUsername 2

pypa audits raise ScannerError: mapping values are not allowed here

pypa audits started failing in the past day or so. Here's an example:

$ rm -rf .skjold_cache/
$ echo 'bottle==0.12.23' | skjold audit -s pypa -
Warning: No 'pyproject.toml' found!
Traceback (most recent call last):
  File "../env/bin/skjold", line 8, in <module>
    sys.exit(cli())
  File "../env/lib/python3.7/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "../env/lib/python3.7/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "../env/lib/python3.7/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "../env/lib/python3.7/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "../env/lib/python3.7/site-packages/click/decorators.py", line 84, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "../env/lib/python3.7/site-packages/skjold/cli.py", line 184, in audit_
    findings = audit(config, packages, ignore=ignore)
  File "../env/lib/python3.7/site-packages/skjold/tasks.py", line 225, in audit
    if source.has_security_advisory_for(dependency):
  File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 65, in has_security_advisory_for
    return dependency.canonical_name in self.advisories.keys()
  File "../env/lib/python3.7/site-packages/skjold/core.py", line 123, in advisories
    self.populate_from_cache()
  File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 43, in populate_from_cache
    doc = yaml.load(obj_fh, Loader=yaml.SafeLoader)
  File "../env/lib/python3.7/site-packages/yaml/__init__.py", line 81, in load
    return loader.get_single_data()
  File "../env/lib/python3.7/site-packages/yaml/constructor.py", line 49, in get_single_data
    node = self.get_single_node()
  File "../env/lib/python3.7/site-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "../env/lib/python3.7/site-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "../env/lib/python3.7/site-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "../env/lib/python3.7/site-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "../env/lib/python3.7/site-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "../env/lib/python3.7/site-packages/yaml/parser.py", line 428, in parse_block_mapping_key
    if self.check_token(KeyToken):
  File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 116, in check_token
    self.fetch_more_tokens()
  File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 223, in fetch_more_tokens
    return self.fetch_value()
  File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 579, in fetch_value
    self.get_mark())
yaml.scanner.ScannerError: mapping values are not allowed here
  in ".skjold_cache/pypa.cache", line 2, column 98

source:osv

opened by brondsem 2

Links to pyup.io point to 404 page
Here's an example of an issue reported by skjold:

cryptography==38.0.1 (<39.0.0) via pyup as pyup.io-51159 found in poetry.lock Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these versions are not receiving security support anymore. https://pyup.io/pyup.io-51159

The link at the last line points to https://pyup.io/pyup.io-51159, however it should point to https://pyup.io/vulnerabilities/CVE-2021-41581/51159/

It's likely appending the id instead of the more_info_path to the domain when constructing the link.
bug source:pyup
opened by joakimnordling 2
Pre-commit hooks only checks files in root of repo

The pattern for files in .pre-commit-hooks.yaml are set up to only check any poetry.lock, Pipfile.lock and requirements*.txt files in the root of the repo. However it's not really uncommon that you have such files elsewhere in the repo. I'd suggest changing the pattern so that it'll scan such files elsewhere as well.

If you agree on the idea, I can create a PR, or you can just update the line to be: files: (^|/)(poetry\.lock|Pipfile\.lock|requirements.*\.txt)$
bug

opened by joakimnordling 2
Bump actions/checkout from 3.2.0 to 3.3.0
Bumps actions/checkout from 3.2.0 to 3.3.0.

Release notes

Sourced from actions/checkout's releases.

v3.3.0

What's Changed

Implement branch list using callbacks from exec function by @cory-miller in actions/checkout#1045

Add in explicit reference to private checkout options by @vanZeben in actions/checkout#1050

Fix comment typos (that got added in #770) by @lurch in actions/checkout#1057

New Contributors

@vanZeben made their first contribution in actions/checkout#1050

@lurch made their first contribution in actions/checkout#1057

Full Changelog: https://github.com/actions/checkout/compare/v3.2.0...v3.3.0

Commits

ac59398 Fix comment typos (that got added in #770) (#1057)

3ba5ee6 Add in explicit reference to private checkout options (#1050)

8856415 Implement branch list using callbacks from exec function (#1045)

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies github_actions
opened by dependabot[bot] 0

Releases(v0.6.1)

v0.6.1(Dec 11, 2022)
Bugfix/Maintenance release.

What's Changed

CLI: Remove duplicate error/warning when sources are passed via CLI instead. (#163). Thanks @AIGeneratedUsername!

Dependencies: Support packaging >=21,<23.0. (#162). Thanks @whardier!

Dependencies: Bump types-toml from 0.10.8 to 0.10.8.1 (#156)

Dependencies: Bump mypy from 0.990 to 0.991 (#157)

Actions: Bump actions/setup-python from 4.3.0 to 4.3.1 (#160)

Full Changelog: https://github.com/twu/skjold/compare/v0.6.0...v0.6.1
Source code(tar.gz)
Source code(zip)
v0.6.0(Nov 11, 2022)
Feature release.

This release breaks .skjoldignore files when containing PyUP identifiers (See #148). You might need to re-add them to the ignore file using the CVE or new PyUP identifier.

Changes

PyUP: Use 'cve' field as 'pyup' identifier. (#149). Thanks @joakimnordling!

Dependencies: Bump mypy from 0.981 to 0.982 (#141)

Dependencies: Bump black from 22.8.0 to 22.10.0 (#144)

Dependencies: Bump pytest-mock from 3.9.0 to 3.10.0 (#143)

Dependencies: Bump pytest from 7.1.3 to 7.2.0 (#146)

Dependencies: Bump types-pyyaml from 6.0.12 to 6.0.12.1 (#147)

Dependencies: Bump pytest-sugar from 0.9.5 to 0.9.6 (#151)

Dependencies: Bump mypy from 0.982 to 0.990 (#152)

Dependencies: Bump types-pyyaml from 6.0.12.1 to 6.0.12.2 (#153)

Actions: Bump actions/checkout from 3.0.2 to 3.1.0 (#142)

Actions: Bump actions/setup-python from 4.2.0 to 4.3.0 (#145)

Full Changelog: https://github.com/twu/skjold/compare/v0.5.1...v0.6.0
Source code(tar.gz)
Source code(zip)
v0.5.1(Oct 3, 2022)
Hotfix release.

Changes

PyUP: Use more_info_path to create correct pyup.io URLs (https://github.com/twu/skjold/pull/140). Thanks @joakimnordling!

Dependencies: Bump types-pyyaml from 6.0.9 to 6.0.12 (https://github.com/twu/skjold/pull/134).

Dependencies: Bump types-toml from 0.10.7 to 0.10.8 (https://github.com/twu/skjold/pull/124).

Actions: Bump coverage from 6.4.1 to 6.5.0 (https://github.com/twu/skjold/pull/138).

Actions: Bump actions/setup-python from 4.0.0 to 4.2.0 (https://github.com/twu/skjold/pull/128, https://github.com/twu/skjold/pull/122).

Full Changelog: https://github.com/twu/skjold/compare/v0.5.0...v0.5.1
Source code(tar.gz)
Source code(zip)
v0.5.0(Jul 2, 2022)
Feature / Hotfix release.

Breaking: This version drops support for Python 3.6 (#117) and adds the filename to both output formats (#118).

Changes

Packaging: Switch to poetry-core (#91). Thanks @fabaff!

Gemnasium: Properly handle false positives/withdrawn CVEs marked with (,0) (#90). Thanks @stesix!

OSV: Support latest OSV/PyPA schema (only using ECOSYSTEM + versions) (#115). Thanks @Kurt-von-Laven!

Feature: Support handling multiple input files (#118). Thanks @joakimnordling!

Actions: Bump actions/checkout from 2.3.4 to 2.4.0 (#82).

Actions: Bump actions/setup-python from 2.2.2 to 2.3.2 (#93).

Breaking: Drops support for Python 3.6 (#117)

Full Changelog: https://github.com/twu/skjold/compare/v0.4.1...v0.5.0
Source code(tar.gz)
Source code(zip)
v0.4.1(Aug 9, 2021)
Hotfix release.

Changes

Github: Properly parse/handle github fixed version specifiers e.g. = 1.4.2. Fixes #61. Thanks @brondsem!

Github: Show correct environment variable name if Github API Token is not defined. See #62. Thanks @markus-k!

Source code(tar.gz)
Source code(zip)
v0.4.0(Aug 8, 2021)
Feature/Maintenance release.

Important!: From this release onwards skjold depends on/uses packaging instead of poetry-semver (See #52 for details).

Changes

Use packaging for parsing versions instead of poetry-semver. See #52

Display helpful message if Github Token is not found/set when using the github source. See #56

Updated dependencies.

Source code(tar.gz)
Source code(zip)
v0.3.2(Jun 21, 2021)
Bugfix release.

Changes

Removing verbose flag from .pre-commit-hook.yaml as it is only supposed to be used during debugging. See Comment Thanks @asottile!

Bump types-pyyaml from 0.1.9 to 5.4.3 (#49)

Source code(tar.gz)
Source code(zip)
v0.3.1(Jun 20, 2021)
Bugfix release.

Changes

Bumps minimal click version to 8.x to fix issue with changed get_default signature.

Source code(tar.gz)
Source code(zip)
v0.3.0(Jun 20, 2021)
Feature / Maintenance release.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Breaking Changes

CLI: skjold will now always write the number of ignored findings and vulnerable packages to stderr. The rest of the output json or cli are still written to stdout for easier redirection.

Changes

CLI: Temporarily or permanently ignore findings based on their source identifiers added to .skjoldignore. (See #47) Thanks @micheller!

CLI: skjold now outputs ignored findings when using cli or json output formats.

OSV/PyPA Advisory DB: Initial support for using either osv or pypa as sources. (See #45)

CLI: Advisories with additional references are added to the cli output if present.

Bumps mypy to 0.902

Moves mypy.ini to pyproject.toml.

Adds types-toml and types-PyYAML as dev dependencies.

Update README.md.

Source code(tar.gz)
Source code(zip)
v0.2.1(Feb 1, 2021)
Bugfix / Maintenance release.

Changes

Gemnasium: Assume all versions are affected if 'affected_versions' string is empty. (#30). Thanks @dermoumi!

Bump pyyaml from 5.3.1 to 5.4.1 (#24, #26)

Bump coverage from 5.3.1 to 5.4 (#29)

Bump pytest from 6.2.1 to 6.2.2 (#28)

Bump mypy from 0.790 to 0.800 (#27)

Bump pytest-cov from 2.10.1 to 2.11.1 (#23, #25)

Bump pytest-mock from 3.4.0 to 3.5.1 (#21, #22)

Update README.md.

Source code(tar.gz)
Source code(zip)
v0.2.0(Jan 2, 2021)
Bugfix / Feature release.

Changes

Refactored CLI.

Fix issue with CLI defaults overriding already set values. Fixes #11. Thanks @inkhey!

Add py.typed marker file (PEP 561).

Replaced tomlkit with the more commonly used toml.

Replaced requests with urllib from the standard library.

Remove pytest-env since it is unused.

Use latest actions/checkout and actions/setup-python in test workflow.

Dependencies are now updated by dependabot.

Updated dependencies.

Source code(tar.gz)
Source code(zip)
v0.1.6(Oct 5, 2020)
Bugfix / Maintenance release.

Changes

Update README.md. Fix for wrong option name in documentation. Thanks @endwaa ! (#7)

Properly handle PyUp $meta field when populating advisories from cache. (#8)

Set pre-commit default python interpreter from 3.7 to 3.8.

Start testing against 3.9.0-rc2.

Use latest actions/[email protected] and actions/[email protected] in test workflow.

Update pre-commit hook (v2.5.0 -> v3.2.0) and black hook (19.10b0 -> 20.8b1) repositories.

Updated dependencies.

Source code(tar.gz)
Source code(zip)
v0.1.5(Mar 4, 2020)
Feature release.

Changes

Determine severity (Base Score) using CVSS 2.0 / CVSS 3.x vectors from Gemnasium records.

Print Warning to stderr when failing to extract package and pinned version from a requirements.txt-formatted file. Thanks @brondsem! (#3)

Simplify pre-commit instructions. Thanks @asottile ! (#6)

Updated dependencies.

Source code(tar.gz)
Source code(zip)
v0.1.4(Mar 1, 2020)
Bugfix release.

Changes

Fix #4: CLI crashes when given unknown severity level. Thanks @brondsem! (PR #5)

Use red instead of yellow for results with UNKNOWN severity from PyUP and Gemnasium where skjold is (currently) not able to extract or calculate the severity of the item.

Colorize results with UNKNOWN severity red instead of yellow.

Extend CLI coloring dictionary to cover CVSS v2.0 and CVSS v3.0 severity levels.

Set returned severity of PyUP results to 'UNKNOWN' as severity is not present in safety-db.

Start handling comments in requirements.txt. Thanks @brondsem!

Add bug tracker and changelog URLs to pyproject.toml.

Update README.md. Thanks @brondsem!

Extended tests.

Source code(tar.gz)
Source code(zip)
v0.1.3(Feb 8, 2020)
Bugfix release.

Changes

Support for Python 3.6.

Type annotations for tests.

Documentation

Fixed broken links in README.md. Thanks @ghtyrant!

Source code(tar.gz)
Source code(zip)
v0.1.2(Jan 29, 2020)
Bugfix release.

Changes

Fix installation issue with .pre-commit-hooks.yaml setup.

Update README.md (Typos, Anchors).

Source code(tar.gz)
Source code(zip)
v0.1.1(Jan 26, 2020)
Initial release.

Changes

Support for PyUP.io safety-db, GitHub Advisory Database, and GitLab gemnasium-db.

Added pre-commit hook.

Support for json as additional output format.

Support reading poetry.lock files (poetry).

Support reading Pipfile.lock files (pipenv).

Support for reading frozen requirements.txt from file or stdin (e.g. via pip freeze.

Basic caching.

Configuration via tools.skjold in pyproject.toml.

Source code(tar.gz)
Source code(zip)

Owner

GitHub Repository

𝙾𝚙𝚎𝚗 𝚂𝚘𝚞𝚛𝚌𝚎 𝚂𝚌𝚛𝚒𝚙𝚝 - 𝙽𝚘 𝙲𝚘𝚙𝚢𝚛𝚒𝚐𝚑𝚝 - 𝚃𝚎𝚊𝚖 𝚆𝚘𝚛𝚔 - 𝚂𝚒𝚖𝚙𝚕𝚎 𝙿𝚢𝚝𝚑𝚘𝚗 𝙿𝚛𝚘𝚓𝚎𝚌𝚝 - 𝙲𝚛𝚎𝚊𝚝𝚎𝚍 𝙱𝚢 : 𝙰𝚕𝚕 𝚃𝚎𝚊𝚖 - 𝙲𝚘𝚙𝚢𝙿𝚊𝚜𝚝 𝙲𝚊𝚗 𝙽𝚘𝚝 𝙼𝚊𝚔𝚎 𝚈𝚘𝚞 𝚁𝚎𝚊𝚕 𝙿𝚛𝚘𝚐𝚛𝚊𝚖𝚖𝚎𝚛

𝙾𝚙𝚎𝚗 𝚂𝚘𝚞𝚛𝚌𝚎 𝚂𝚌𝚛𝚒𝚙𝚝 - 𝙽𝚘 𝙲𝚘𝚙𝚢𝚛𝚒𝚐𝚑𝚝 - 𝚃𝚎𝚊𝚖 𝚆𝚘𝚛𝚔 - 𝚂𝚒𝚖𝚙𝚕𝚎 𝙿𝚢𝚝𝚑𝚘𝚗 𝙿𝚛𝚘𝚓𝚎𝚌𝚝 - 𝙲𝚛𝚎𝚊𝚝𝚎𝚍 𝙱𝚢 : 𝙰𝚕𝚕 𝚃𝚎𝚊𝚖 - 𝙲𝚘𝚙𝚢𝙿𝚊𝚜𝚝 𝙲𝚊𝚗 𝙽𝚘𝚝 𝙼𝚊𝚔𝚎 𝚈𝚘𝚞 𝚁𝚎𝚊𝚕 𝙿𝚛𝚘𝚐𝚛𝚊𝚖𝚖𝚎𝚛

2 Oct 27, 2022

Security audit Python project dependencies against security advisory databases.

Related tags

Overview

Introduction

Motivation

Installation

Usage

Examples

Ignore Findings

Configuration

Github

Version Control Integration

Contributing

Comments

v3.10.0

3.10.0 (2022-10-05)

Version 7.0.1 — 2022-12-23

Reproducible sample

Versions

Related source code

Possible fix

v3.3.0

What's Changed

New Contributors

Releases(v0.6.1)

v0.6.1(Dec 11, 2022)

What's Changed

v0.6.0(Nov 11, 2022)

Changes

v0.5.1(Oct 3, 2022)

Changes

v0.5.0(Jul 2, 2022)

v0.4.1(Aug 9, 2021)

v0.4.0(Aug 8, 2021)

v0.3.2(Jun 21, 2021)

v0.3.1(Jun 20, 2021)

v0.3.0(Jun 20, 2021)

v0.2.1(Feb 1, 2021)

v0.2.0(Jan 2, 2021)

v0.1.6(Oct 5, 2020)

v0.1.5(Mar 4, 2020)

v0.1.4(Mar 1, 2020)

v0.1.3(Feb 8, 2020)

v0.1.2(Jan 29, 2020)

v0.1.1(Jan 26, 2020)

Owner

RCE Exploit for Gitlab < 13.9.4

A python implementation of the windows 95 product key check.

Lazarus analysis tools and research report

MainCoon - an automated recon framework

A deobfuscator for multiple python obfuscators

Orthrus is a macOS agent that uses Apple's MDM to backdoor a device using a malicious profile.

🐎🖥《赛马娘》（ウマ娘: Pretty Derby）辅助脚本

Zero-attacker is an multipurpose hacking tool with over 12 tools

A hashtag check python module

Sonoff NSPanel protocol and hacking information. Tasmota Berry driver for NSPanel

IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Hack any account sending fake nitro QR code (only for educational purpose)

This repo created for bypassing Widevine L3 DRM and obtaining keys.

Static Token And Credential Scanner

FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

A knockoff social-engineer toolkit

A brute force tool for password-protected zip file

Discord Region Swapping Exploit (VC Overload)

This is a Cryptographied Password Manager, a tool for storing Passwords in a Secure way