jhermann / dependency-check-py Goto Github PK

:closed_lock_with_key: Shim to easily install OWASP dependency-check-cli into Python projects

License: Apache License 2.0

Python 50.45% Shell 49.55%

owasp dependency-analysis security python cli-utility software-supply-chain cve-scanning vulnerability-detection security-audit software-composition-analysis

dependency-check-py's Introduction

dependency-check

Shim to easily install the OWASP dependency-check-cli tool into Python projects.

Table of Contents

Code: https://github.com/jhermann/dependency-check-py#readme
Docs: https://github.com/jeremylong/dependencycheck#readme
CI: https://travis-ci.org/jhermann/dependency-check-py
Issues: https://github.com/jhermann/dependency-check-py/issues

Overview

dependency-check scans application dependencies and checks whether they contain any published vulnerabilities (based on the NIST NVD). It runs in the JVM, so you need some form of java available in your PATH. The script should work on Linux, Mac OSX and Windows, but right now is only tested on Linux.

Usage

After installation, you'll have the dependency-check command available that, on first use, will automatically download and install the OWASP release archive once for all projects. It'll then redirect any calls to that installation, meaning the downloaded NVD data is shared amongst projects.

dependency-check --disableAssembly -s . -o build --project "$(python ./setup.py --name)" \
    --exclude ".git/**" --exclude ".venv/**" --exclude "**/__pycache__/**" --exclude ".tox/**" \
    && xdg-open build/dependency-check-report.html

Please see the DependencyCheck site for more configuration and usage details.

To install from PyPI, add dependency-check to your dev-requirements.txt or a similar file. For more installation options, see the “Installation” section below.

Customization

Using environment variables, you can change the version and download location of the release archive, and the directory for the local installation.

Variable	Default
`DEPENDENCY_CHECK_VERSION`	`6.2.2`
`DEPENDENCY_CHECK_URL`	`https://github.com/jeremylong/DependencyCheck/releases/download/v{version}/dependency-check-{version}-release.zip`
`DEPENDENCY_CHECK_HOME`	`~/.local/dependency-check`
`DEPENDENCY_CHECK_NVD_URL`	Use NIST NVD URLs

To update to a new version of the OWASP software, delete ~/.local/dependency-check/bin/, set DEPENDENCY_CHECK_VERSION to the new version number, and call dependency-check.

The variable DEPENDENCY_CHECK_NVD_URL can be used to point to a local copy of the various NVD feeds, in a flat hierarchy with compressed JSON files.

export DEPENDENCY_CHECK_NVD_URL='https://repo.local/nvd/nvdcve-1.1-%d.json.gz'

If you set this, the options --cveUrlBase and --cveUrlModified will be added to each call. Note that the %d representing the year is replaced by modified for the latter.

Remove the ~/.local/dependency-check/data/ directory to force a full data reload.

Installation

To just get the dependency-check CLI tool installed into your home, independent of any project, call python3 -m pip install --user dependency-check as usual, see releases for an overview of available versions.

If you prefer an isolated and easily removable venv installation, consider using dephell jail install dependency-check instead.

To get a bleeding-edge version from source, use these commands:

repo="jhermann/dependency-check-py"
python3 -m pip install -r "https://raw.githubusercontent.com/$repo/master/requirements.txt"
python3 -m pip install "https://github.com/$repo/archive/master.zip#egg=dependency-check"

As a developer, to create a working directory for this project, call these commands:

git clone "https://github.com/jhermann/dependency-check-py.git"
cd "dependency-check-py"
command . .env --yes --develop
invoke build --docs test check

You might also need to follow some setup procedures to make the necessary basic commands available on Linux, Mac OS X, and Windows.

Other Python Security Tools

openstack/bandit – Security linter designed to find common security issues in Python code, by static AST analysis.
pyupio/safety – Safety checks your installed dependencies for known security vulnerabilities.
- pyupio/safety-db – A curated database of security vulnerabilities in Python packages.
eliasgranderubio/dagda – Static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in Docker images, and runtime monitoring of containers for anomalous activities.
anchore/anchore-engine – A service for inspection, analysis and certification of container images, provided as a ready-to-deploy Docker container image.
sonatype-nexus-community/jake – An OSS Index integration to check your Conda environments for vulnerable Open Source packages.
vintasoftware/python-linters-and-code-analysis – Curated list of Python linters and code analysis tools.

dependency-check-py's People

Contributors

Stargazers

Watchers

Forkers

pombredanne chubbymaggie dev-alex-alex2006hw pr4bh4sh stevenullman grayguest davar-playgrounds lichnak yashomer1994 asrivastava-coder bhuvi11

dependency-check-py's Issues

dependency check 404 error

Hello,

Running dependency check using

dependency-check --disableAssembly -s / -o build

results in the below error:

root:/# dependency-check --disableAssembly -s / -o build

Downloading 'https://bintray.com/artifact/download/jeremy-long/owasp/dependency-check-5.2.4-release.zip'...
Traceback (most recent call last):
  File "/opt/conda/bin/dependency-check", line 8, in <module>
    sys.exit(run())
  File "/opt/conda/lib/python3.6/site-packages/dependency_check.py", line 110, in run
    dc_command = install()
  File "/opt/conda/lib/python3.6/site-packages/dependency_check.py", line 63, in install
    with closing(urlopen(dc_url)) as url_handle:
  File "/opt/conda/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/conda/lib/python3.6/urllib/request.py", line 532, in open
    response = meth(req, response)
  File "/opt/conda/lib/python3.6/urllib/request.py", line 642, in http_response
    'http', request, response, code, msg, hdrs)
  File "/opt/conda/lib/python3.6/urllib/request.py", line 570, in error
    return self._call_chain(*args)
  File "/opt/conda/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/opt/conda/lib/python3.6/urllib/request.py", line 650, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found

Installation method

pip install dependency-check

Add a py.test plugin

Report results via py.test

Request to release the latest changes to pypi

We are affected due to jeremylong/DependencyCheck#5220

Can you release the latest changes to pypi?

Downloading owasp artifact from bintray results in 403 forbidden

Is it possible the permissions on the storage was changed?


Traceback (most recent call last):

  File "/tmp/py3env/bin/dependency-check", line 8, in <module>

    sys.exit(run())

  File "/tmp/py3env/lib/python3.6/site-packages/dependency_check.py", line 110, in run

    dc_command = install()

  File "/tmp/py3env/lib/python3.6/site-packages/dependency_check.py", line 63, in install

    with closing(urlopen(dc_url)) as url_handle:

  File "/usr/lib/python3.6/urllib/request.py", line 223, in urlopen

    return opener.open(url, data, timeout)

  File "/usr/lib/python3.6/urllib/request.py", line 532, in open

    response = meth(req, response)

  File "/usr/lib/python3.6/urllib/request.py", line 642, in http_response

    'http', request, response, code, msg, hdrs)

  File "/usr/lib/python3.6/urllib/request.py", line 564, in error

    result = self._call_chain(*args)

  File "/usr/lib/python3.6/urllib/request.py", line 504, in _call_chain

    result = func(*args)

  File "/usr/lib/python3.6/urllib/request.py", line 756, in http_error_302

    return self.parent.open(new, timeout=req.timeout)

  File "/usr/lib/python3.6/urllib/request.py", line 532, in open

    response = meth(req, response)

  File "/usr/lib/python3.6/urllib/request.py", line 642, in http_response

    'http', request, response, code, msg, hdrs)

  File "/usr/lib/python3.6/urllib/request.py", line 570, in error

    return self._call_chain(*args)

  File "/usr/lib/python3.6/urllib/request.py", line 504, in _call_chain

    result = func(*args)

  File "/usr/lib/python3.6/urllib/request.py", line 650, in http_error_default

    raise HTTPError(req.full_url, code, msg, hdrs, fp)

urllib.error.HTTPError: HTTP Error 403: Forbidden

not able to analys python code

i'm trying to scan the python dependency but it shows nothing.

the testing python code is : https://github.com/jhermann/dependency-check-py.git

./dependency-check --disableAssembly -s . -o build --project "$(python ./setup.py --name)" --enableExperimental --log odc.log && xdg-open ../build/dependency-check-report.html

the html report shows :

Project: app
Scan Information (show less):

dependency-check version: 5.2.4
Report Generated On: Tue, 4 Feb 2020 17:29:22 -0500
Dependencies Scanned: 0 (0 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
NVD CVE Checked: 2020-02-04T17:29:08
NVD CVE Modified: 2020-02-04T16:02:04
VersionCheckOn: 2020-02-04T17:29:08

apparently its not able to detect the dependencies.

Is there a specific any details that need to be in the repo in order to be scanned correctly ?

Permissions are incorrect on initial setup

When I attempted to run this as part of a Jenkins pipeline I had the following error;

Traceback (most recent call last):
  File "/srv/jenkins/venv/myproject/bin/dependency-check", line 7, in <module>
    from dependency_check import run
  File "/srv/jenkins/venv/myproject/lib64/python3.6/site-packages/dependency_check.py", line 77
    os.chmod(os.path.join(dc_home, 'bin', 'dependency-check.sh'), 0755)
                                                                     ^
SyntaxError: invalid token

This was running on a CentOS machine, with Python 3.6 installed. dependency-check was installed via
pip3 install -r requirements.txt
where requirements.txt included dependency-check.

[ERROR] Unable to read yarn audit output.

I'm using dependency-check==0.6.0 from pypi to perform a scan with commanddependency-check --scan /my/scan/path --format JSON. The scan process seems to be finished because dependency-check-report.json was generated, but the running process ended with a non-zero exit code and an error message [ERROR] Unable to read yarn audit output.

Option to produce both XML and HTML report

I currently run dependency-check twice, to obtain both xml and html report for usage in sonar:

dependency-check --format XML --out reports/dependency-check.xml
dependency-check --format HTML --out reports/dependency-check.html

This is advised by the Dependency-Check Sonar plugin configuration

It would be nice to be able to generate both at once, while retaining the option to specify output filename(prefix).

PyPi version obsolete

I have been getting dependency check from PyPi (https://pypi.org/project/dependency-check/). Now I realize that the version is very old (0.2.0). How can I get an up to date version in a Python environment? I'd like to continue using pip because I need to install it automatically in a continuous integration pipeline.

Output URL of Github repo

Hello.

I got .jar file analsys result of my source code using dependency-check-py tool.
But, when the url is the github's url, the url is not full url but just (owner)-(repo_name).
ex) whitesource/pecoff4j-maven

present output : whitesource/pecoff4j-maven
expected output : https://github.com/whitesource/pecoff4j-maven

So, could you fix it to output full url of github?