Using PyRaider You can scan installed dependencies known security vulnerabilities. It uses publicly known exploits, vulnerabilities database.
Home Page: https://pyraider.raidersource.com
License: MIT License
When running against Pipfile.lock, severel packages are reported as vulnerable, even though they are upgraded to a version that is fixed. All these packages have newer versions available though.
For instance:
$ pyraider check -f Pipfile.lock
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.11
Started Scanning .....
+-----------------+------------------------------------------------------------+
| Package | httplib2 |
+-----------------+------------------------------------------------------------+
| Severity | MEDIUM |
+-----------------+------------------------------------------------------------+
| CWE | 93 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-11078 |
+-----------------+------------------------------------------------------------+
| Current version | 0.19.0 |
+-----------------+------------------------------------------------------------+
| Update To | 0.19.1 |
+-----------------+------------------------------------------------------------+
| Description | In httplib2 before version 0.18.0, an attacker controlling |
| | unescaped part of uri for `httplib2.Http.request()` could |
| | change request headers and body, send additional hidden r |
| | equests to same server. This vulnerability impacts softwar |
| | e that uses httplib2 with uri constructed by string concat |
| | enation, as opposed to proper urllib building with escapin |
| | g. This has been fixed in 0.18.0. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install httplib2==0.19.1 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-11078 |
+-----------------+------------------------------------------------------------+
httplib2 0.19.0 is not listed as vulnerable: https://nvd.nist.gov/vuln/detail/CVE-2020-11078/cpes?expandCpeRanges=true
Could you please create a security policy for your repository? I would like to responsibly report a couple security concerns following your approved process.
Pyraider Version: 1.0.19
Python Version: 3.8.9
OS Version: macOS Monterey 12.1
$ pyraider go -e html results.html
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by TilakThimmappa version 1.0.19
Started Scanning .....
Downloading resources to scan the packages, It may take some time to download .....
There is some error. You need to enable `https://pyraider-source-data.s3-us-west-2.amazonaws.com/` URL to download database
When running a scan it is not able to fetch the database from the S3. It seems there is some access issue.
Some organization prefers conda over pip. Conda can be applied to any package types not restricted to python only unlike PyPI.
Pyraider can expand to Anaconda repo not just PyPI cloud.
Consider it as feature request.
pyraider version: 1.8.5
Python version: 3.7.3
Operating System: Mac OSX Catalina (version 10.15.4)
Description :
Ran go command :
$ pyraider go
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.2
Started Scanning .....
+-----------------+------------------------------------------------------------+
| Package | urllib3 |
+-----------------+------------------------------------------------------------+
| Severity | HIGH |
+-----------------+------------------------------------------------------------+
| CWE | 400 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-7212 |
+-----------------+------------------------------------------------------------+
| Current version | 1.25.9 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | The _encode_invalid_chars function in util/url.py in the u |
| | rllib3 library 1.25.2 through 1.25.7 for Python allows a d |
| | enial of service (CPU consumption) because of an inefficie |
| | nt algorithm. The percent_encodings array contains all mat |
| | ches of percent encodings. It is not deduplicated. For a U |
| | RL of length N, the size of percent_encodings may be up to |
| | O(N). The next step (normalize existing percent-encoded b |
| | ytes) also takes up to O(N) for each step, so the total ti |
| | me is O(N^2). If percent_encodings were deduplicated, the |
| | time to compute _encode_invalid_chars would be O(kN), wher |
| | e k is at most 484 ((10+6*2)^2). |
+-----------------+------------------------------------------------------------+
| Resolve | pip install urllib3==1.25.9 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-7212 |
+-----------------+------------------------------------------------------------+
+-----------------+------------------------------------------------------------+
| Package | safety |
+-----------------+------------------------------------------------------------+
| Severity | LOW |
+-----------------+------------------------------------------------------------+
| CWE | NVD-CWE-noinfo |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-5252 |
+-----------------+------------------------------------------------------------+
| Current version | 1.9.0 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | The command-line "safety" package for Python has a potenti |
| | al security issue. There are two Python characteristics th |
| | at allow malicious code to “poison-pill” command-line Safe |
| | ty package detection routines by disguising, or obfuscatin |
| | g, other malicious or non-secure packages. This vulnerabil |
| | ity is considered to be of low severity because the attack |
| | makes use of an existing Python condition, not the Safety |
| | tool itself. This can happen if: You are running Safety i |
| | n a Python environment that you don’t trust. You are runni |
| | ng Safety from the same Python environment where you have |
| | your dependencies installed. Dependency packages are being |
| | installed arbitrarily or without proper verification. Use |
| | rs can mitigate this issue by doing any of the following: |
| | Perform a static analysis by installing Docker and running |
| | the Safety Docker image: $ docker run --rm -it pyupio/saf |
| | ety check -r requirements.txt Run Safety against a static |
| | dependencies list, such as the requirements.txt file, in a |
| | separate, clean Python environment. Run Safety from a Con |
| | tinuous Integration pipeline. Use PyUp.io, which runs Safe |
| | ty in a controlled environment and checks Python for depen |
| | dencies without any need to install them. Use PyUp's Onlin |
| | e Requirements Checker. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install safety==1.9.0 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-5252 |
+-----------------+------------------------------------------------------------+
+-----------------+------------------------------------------------------------+
| Package | pyyaml |
+-----------------+------------------------------------------------------------+
| Severity | HIGH |
+-----------------+------------------------------------------------------------+
| CWE | 20 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-1747 |
+-----------------+------------------------------------------------------------+
| Current version | 5.3.1 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | A vulnerability was discovered in the PyYAML library in ve |
| | rsions before 5.3.1, where it is susceptible to arbitrary |
| | code execution when it processes untrusted YAML files thro |
| | ugh the full_load method or with the FullLoader loader. Ap |
| | plications that use the library to process untrusted input |
| | may be vulnerable to this flaw. An attacker could use thi |
| | s flaw to execute arbitrary code on the system by abusing |
| | the python/object/new constructor. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install pyyaml==5.3.1 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-1747 |
+-----------------+------------------------------------------------------------+
After that autofix :
$ pyraider autofix
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.2
Are you sure want to update all the packages, It might affect other packages? [Y/n] Y
Collecting gunicorn==20.0.4
Downloading https://files.pythonhosted.org/packages/69/ca/926f7cd3a2014b16870086b2d0fdc84a9e49473c68a8dff8b57f7c156f43/gunicorn-20.0.4-py2.py3-none-any.whl (77kB)
100% |████████████████████████████████| 81kB 1.5MB/s
Requirement already satisfied: setuptools>=3.0 in ./.pyenv/versions/3.7.3/lib/python3.7/site-packages (from gunicorn==20.0.4) (40.8.0)
Installing collected packages: gunicorn
Successfully installed gunicorn-20.0.4
You are using pip version 19.0.3, however version 20.2b1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
0
A prompt
Are you sure want to update all the packages, It might affect other packages?
without showing list of package it is trying to update. pyraider wrongly updated gunicorn which was not in pyraider go list.
After that, again ran pyraider go but the list was same.
@TilakT was just checking the capability of pyraider and found this :) hope it will be helpful bug to fix..
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.